The release assets and the MANIFEST file for checksum verification are downloaded via unencrypted connections. These assets are later extracted via tarfile.extractall.
The Python documentation of tarfile.extractall warns:
Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..".
That means attackers can craft archive files that extract to arbitrary system folders. Since iocagerequires running as root the file /root/.ssh/authorized_keys is writable for attackers.
Checking the tar file content, like here, seems to be a proper mitigation of the vulnerability.
Which is the point since the user can supply their own. I won't say I'm open to injection as the point of failure would be the FreeBSD mirror. I do checksum, so presumably that helps. I'm not sure iterating and checking all the archives is worth it as I extract to a dataset and never the systems.
I'll mark this as a bug for now till I figure out what I want to do. But right now I'm not feeling this is really a iocage bug or worry.
I won't say I'm open to injection as the point of failure would be the FreeBSD mirror.
Users would not only have to trust the FreeBSD mirrors, but also everybody else on the route. The files are downloaded over an unencrypted connection - the mirrors do not respond to port tcp/443 at all. It's still advisable to obtain the hashes on a different (encrypted) channel.
I do checksum, so presumably that helps
Yes, but where do the checksums come from? MANIFEST is in the defaults of the files property and later downloaded with the other assets. An attacker can easily intercept this file as well.
I'm not sure iterating and checking all the archives is worth it as I extract to a dataset and never the systems.
It's not that big deal to walk over the file tree (which is currently done already). A simple exception when a file does not begin with ./ or contains ../ would be sufficient to include at the same spot.
Yeah I suppose. Not a difficult thing to add. Thanks for the issue @gronke :)
I'm glad this was brought up. Without careful archive handling, it's easy
for a government to backdoor people's jails.
@rwestlund Compromising the jails would be bad, but extracting files as root on the host system is what worries me most.
Should be good to go now 馃憤