fix(security): harden archive extraction (#16203)

* fix(browser): confine upload paths for file chooser * fix(browser): sanitize suggested download filenames * chore(lint): avoid control regex in download sanitizer * test(browser): cover absolute escape paths * docs(browser): update upload example path * refactor(browser): centralize upload path confinement * fix(infra): harden tmp dir selection * fix(security): harden archive extraction * fix(infra): harden tar extraction filter
2026-05-10 19:24:59 +00:00 · 2026-02-14 14:42:08 +01:00
parent 9a134c8a10
commit 3aa94afcfd
19 changed files with 1179 additions and 100 deletions
--- a/src/agents/skills-install.ts
+++ b/src/agents/skills-install.ts
@@ -4,6 +4,7 @@ import path from "node:path";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import type { OpenClawConfig } from "../config/config.js";
+import { extractArchive as extractArchiveSafe } from "../infra/archive.js";
 import { resolveBrewExecutable } from "../infra/brew.js";
 import { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
 import { runCommandWithTimeout } from "../process/exec.js";
@@ -225,6 +226,66 @@ function resolveArchiveType(spec: SkillInstallSpec, filename: string): string |
  return undefined;
 }

+function normalizeArchiveEntryPath(raw: string): string {
+  return raw.replaceAll("\\", "/");
+}
+
+function isWindowsDrivePath(p: string): boolean {
+  return /^[a-zA-Z]:[\\/]/.test(p);
+}
+
+function validateArchiveEntryPath(entryPath: string): void {
+  if (!entryPath || entryPath === "." || entryPath === "./") {
+    return;
+  }
+  if (isWindowsDrivePath(entryPath)) {
+    throw new Error(`archive entry uses a drive path: ${entryPath}`);
+  }
+  const normalized = path.posix.normalize(normalizeArchiveEntryPath(entryPath));
+  if (normalized === ".." || normalized.startsWith("../")) {
+    throw new Error(`archive entry escapes targetDir: ${entryPath}`);
+  }
+  if (path.posix.isAbsolute(normalized) || normalized.startsWith("//")) {
+    throw new Error(`archive entry is absolute: ${entryPath}`);
+  }
+}
+
+function resolveSafeBaseDir(rootDir: string): string {
+  const resolved = path.resolve(rootDir);
+  return resolved.endsWith(path.sep) ? resolved : `${resolved}${path.sep}`;
+}
+
+function stripArchivePath(entryPath: string, stripComponents: number): string | null {
+  const raw = normalizeArchiveEntryPath(entryPath);
+  if (!raw || raw === "." || raw === "./") {
+    return null;
+  }
+
+  // Important: tar's --strip-components semantics operate on raw path segments,
+  // before any normalization that would collapse "..". We mimic that so we
+  // can detect strip-induced escapes like "a/../b" with stripComponents=1.
+  const parts = raw.split("/").filter((part) => part.length > 0 && part !== ".");
+  const strip = Math.max(0, Math.floor(stripComponents));
+  const stripped = strip === 0 ? parts.join("/") : parts.slice(strip).join("/");
+  const result = path.posix.normalize(stripped);
+  if (!result || result === "." || result === "./") {
+    return null;
+  }
+  return result;
+}
+
+function validateExtractedPathWithinRoot(params: {
+  rootDir: string;
+  relPath: string;
+  originalPath: string;
+}): void {
+  const safeBase = resolveSafeBaseDir(params.rootDir);
+  const outPath = path.resolve(params.rootDir, params.relPath);
+  if (!outPath.startsWith(safeBase)) {
+    throw new Error(`archive entry escapes targetDir: ${params.originalPath}`);
+  }
+}
+
 async function downloadFile(
  url: string,
  destPath: string,
@@ -260,22 +321,99 @@ async function extractArchive(params: {
  timeoutMs: number;
 }): Promise<{ stdout: string; stderr: string; code: number | null }> {
  const { archivePath, archiveType, targetDir, stripComponents, timeoutMs } = params;
-  if (archiveType === "zip") {
-    if (!hasBinary("unzip")) {
-      return { stdout: "", stderr: "unzip not found on PATH", code: null };
-    }
-    const argv = ["unzip", "-q", archivePath, "-d", targetDir];
-    return await runCommandWithTimeout(argv, { timeoutMs });
-  }
+  const strip =
+    typeof stripComponents === "number" && Number.isFinite(stripComponents)
+      ? Math.max(0, Math.floor(stripComponents))
+      : 0;

-  if (!hasBinary("tar")) {
-    return { stdout: "", stderr: "tar not found on PATH", code: null };
+  try {
+    if (archiveType === "zip") {
+      await extractArchiveSafe({
+        archivePath,
+        destDir: targetDir,
+        timeoutMs,
+        kind: "zip",
+        stripComponents: strip,
+      });
+      return { stdout: "", stderr: "", code: 0 };
+    }
+
+    if (archiveType === "tar.gz") {
+      await extractArchiveSafe({
+        archivePath,
+        destDir: targetDir,
+        timeoutMs,
+        kind: "tar",
+        stripComponents: strip,
+        tarGzip: true,
+      });
+      return { stdout: "", stderr: "", code: 0 };
+    }
+
+    if (archiveType === "tar.bz2") {
+      if (!hasBinary("tar")) {
+        return { stdout: "", stderr: "tar not found on PATH", code: null };
+      }
+
+      // Preflight list to prevent zip-slip style traversal before extraction.
+      const listResult = await runCommandWithTimeout(["tar", "tf", archivePath], { timeoutMs });
+      if (listResult.code !== 0) {
+        return {
+          stdout: listResult.stdout,
+          stderr: listResult.stderr || "tar list failed",
+          code: listResult.code,
+        };
+      }
+      const entries = listResult.stdout
+        .split("\n")
+        .map((line) => line.trim())
+        .filter(Boolean);
+
+      const verboseResult = await runCommandWithTimeout(["tar", "tvf", archivePath], { timeoutMs });
+      if (verboseResult.code !== 0) {
+        return {
+          stdout: verboseResult.stdout,
+          stderr: verboseResult.stderr || "tar verbose list failed",
+          code: verboseResult.code,
+        };
+      }
+      for (const line of verboseResult.stdout.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed) {
+          continue;
+        }
+        const typeChar = trimmed[0];
+        if (typeChar === "l" || typeChar === "h" || trimmed.includes(" -> ")) {
+          return {
+            stdout: verboseResult.stdout,
+            stderr: "tar archive contains link entries; refusing to extract for safety",
+            code: 1,
+          };
+        }
+      }
+
+      for (const entry of entries) {
+        validateArchiveEntryPath(entry);
+        const relPath = stripArchivePath(entry, strip);
+        if (!relPath) {
+          continue;
+        }
+        validateArchiveEntryPath(relPath);
+        validateExtractedPathWithinRoot({ rootDir: targetDir, relPath, originalPath: entry });
+      }
+
+      const argv = ["tar", "xf", archivePath, "-C", targetDir];
+      if (strip > 0) {
+        argv.push("--strip-components", String(strip));
+      }
+      return await runCommandWithTimeout(argv, { timeoutMs });
+    }
+
+    return { stdout: "", stderr: `unsupported archive type: ${archiveType}`, code: null };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { stdout: "", stderr: message, code: 1 };
  }
-  const argv = ["tar", "xf", archivePath, "-C", targetDir];
-  if (typeof stripComponents === "number" && Number.isFinite(stripComponents)) {
-    argv.push("--strip-components", String(Math.max(0, Math.floor(stripComponents))));
-  }
-  return await runCommandWithTimeout(argv, { timeoutMs });
 }

 async function installDownloadSpec(params: {