fix(install): reject archive with path traversal before extraction (#1250)#1368
Merged
Merged
Conversation
…tk-ai#1250) The installer previously ran `tar -xzf` on the downloaded archive with no pre-extraction verification. A malicious mirror could ship a tarball with `../` components or absolute paths and write files anywhere on the user's filesystem (CWE-22). Add a pre-extraction check that lists archive contents with `tar -tzf` and rejects any entry whose name starts with `/` or contains a `..` path component. The check is POSIX-compliant and adds negligible overhead for the single-binary RTK release tarball. Covered by scripts/test-install.sh, which exercises one safe archive and four crafted malicious archives (leading `..`, absolute path, mid-path `..`, trailing `..`) plus a regression guard that ensures the check remains in install.sh. Co-Authored-By: Claude <noreply@anthropic.com>
pszymkowiak
added
bug
Collaborator
📊 Automated PR Analysis
SummaryAdds a path traversal guard to install.sh that lists archive contents with Review Checklist
Linked issues: #1250 Analyzed automatically by wshm · This is an automated analysis, not a human review. |
pszymkowiak
approved these changes
Apr 22, 2026
Collaborator
pszymkowiak
left a comment
pszymkowiak
left a comment
There was a problem hiding this comment.
Review ✅
Testé en live avec bash scripts/test-install.sh — 6/6 cas passent :
- archive safe acceptée ✅
- 4 archives malveillantes rejetées (leading
../, absolute path, mid-path..., trailing/..) ✅ - regression guard présent ✅
Le fix tar -tzf avant extraction est POSIX-compatible et overhead négligeable. Correction critique pour les utilisateurs curl | sh.
LGTM
Contributor
|
Hey @ousamabenyounes , thanks for your patience. LGTM |
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1250 — CWE-22 path traversal in
install.sh.install.shnow lists archive contents withtar -tzfbefore extraction and rejects any entry that starts with/or contains a..path component.scripts/test-install.shthat exercises one safe archive and four crafted malicious archives (leading../, absolute path, mid-path.., trailing..), plus a regression guard that fails if the check is removed frominstall.sh.Test plan
bash scripts/test-install.sh— all 6 cases pass (1 safe, 4 malicious rejected, 1 regression guard).cargo fmt --all --check && cargo clippy --all-targets && cargo test— 1590 pass / 0 fail / 6 ignored (unchanged from baseline).tar -tzfpipeline verified against hand-crafted tarballs containing../etc/evil,/tmp/abs,rtk/../../../etc/x,rtk/..— all correctly rejected;rtk,./rtk,..hidden,rtk/subdir/bincorrectly accepted.Vibe Coded by Ousama Ben Younes
Developed With Ora Studio (Claude Code)