ansible-galaxy - Fix tar path traversal issue during install - CVE-2020-10691 (#68596)

1 files changed, 22 insertions, 0 deletions

diff --git a/test/units/galaxy/test_collection.py b/test/units/galaxy/test_collection.py
index b283b8b136..f6b285cca0 100644
--- a/test/units/galaxy/test_collection.py
+++ b/test/units/galaxy/test_collection.py
@@ -9,6 +9,7 @@ __metaclass__ = type
 import json
 import os
 import pytest
+import re
 import tarfile
 import uuid
 
@@ -735,6 +736,27 @@ def test_extract_tar_file_missing_parent_dir(tmp_tarfile):
     os.path.isfile(output_file)
 
 
+def test_extract_tar_file_outside_dir(tmp_path_factory):
+    filename = u'ÅÑŚÌβŁÈ'
+    temp_dir = to_bytes(tmp_path_factory.mktemp('test-%s Collections' % to_native(filename)))
+    tar_file = os.path.join(temp_dir, to_bytes('%s.tar.gz' % filename))
+    data = os.urandom(8)
+
+    tar_filename = '../%s.sh' % filename
+    with tarfile.open(tar_file, 'w:gz') as tfile:
+        b_io = BytesIO(data)
+        tar_info = tarfile.TarInfo(tar_filename)
+        tar_info.size = len(data)
+        tar_info.mode = 0o0644
+        tfile.addfile(tarinfo=tar_info, fileobj=b_io)
+
+    expected = re.escape("Cannot extract tar entry '%s' as it will be placed outside the collection directory"
+                         % to_native(tar_filename))
+    with tarfile.open(tar_file, 'r') as tfile:
+        with pytest.raises(AnsibleError, match=expected):
+            collection._extract_tar_file(tfile, tar_filename, os.path.join(temp_dir, to_bytes(filename)), temp_dir)
+
+
 def test_require_one_of_collections_requirements_with_both():
     cli = GalaxyCLI(args=['ansible-galaxy', 'collection', 'verify', 'namespace.collection', '-r', 'requirements.yml'])