fix: validate symlink targets to prevent prefix escape#2143
fix: validate symlink targets to prevent prefix escape#2143baszalmstra merged 4 commits intoconda:mainfrom
Conversation
baszalmstra
left a comment
There was a problem hiding this comment.
thanks! Left one comment, otherwise looks good!
baszalmstra
left a comment
There was a problem hiding this comment.
Do you think you could also add a test to verify that paths now cannot escape the package?
|
i'll add a test case that confirms symlink escaping the prefix gets rejected . |
|
i have one more pr which i raised a week before could you merge that #2090 |
|
I am not sure this will be the right thing to do. We migth have to discsus this wiht teh conda community. There migth be packages that legitimately ship symlinks to outside the env? E.g. for drivers? |
|
I hadn't considered driver packages. We could log a warning instead of rejecting, so nothing breaks but it's still visible. Or make it configurable so stricter setups can opt into hard failing. i can adjust either way, let me know what you'd prefer. |
|
Yeah we do have a setting that allows / disallows running of post-link scripts. Something similar perhaps? |
|
Yeah I can add an |
|
@baszalmstra can you please review the pr now i have updated it and can you please re-run the testcases |
Description
Symlink targets weren't being validated anywhere. A malicious package could include a symlink like
lib/foo ../../../../.bashrcand it'd get created as-is in the prefix.Disabled
allow_external_symlinksin the tarArchiveBuilder,Added targetvalidation in symlink_to_destinationbefore linking,Added target validation invalidate_package_soft_link_entryHow Has This Been Tested?
Tested locally symlinks escaping the prefix are now rejected.
AI Disclosure
Tools: claude
Checklist: