File gradle-CVE-2023-35947.patch of Package gradle.36305

Overview Repositories Revisions Requests Users Attributes Meta

File gradle-CVE-2023-35947.patch of Package gradle.36305

Patch for CVE-2023-35947 (bsc#1212931) gradle: unpacking Tar
archives could create files outside of the unpack location

Derived from upstream commits
1096b309520a8c315e3b6109a6526de4eabcb879 and
2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91

With this patch, Gradle will refuse to handle Tar archives which
contain path traversal elements in a Tar entry name. This resolves
CVE-2023-35947.

---
--- a/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/TarFileTree.java
+++ b/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/TarFileTree.java
@@ -231,6 +231,10 @@ public class TarFileTree implements Mini
         public int getMode() {
             return entry.getMode() & 0777;
         }
+
+	protected String getEntryName() {
+            return entry.getName();
+        }
     }
 
     private static class NoCloseTarInputStream extends TarInputStream {
--- a/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/ZipFileTree.java
+++ b/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/ZipFileTree.java
@@ -135,6 +135,10 @@ public class ZipFileTree implements Mini
             return String.format("zip entry %s!%s", originalFile, entry.getName());
         }
 
+	protected String getEntryName() {
+            return entry.getName();
+        }
+
         public void stopVisiting() {
             stopFlag.set(true);
         }
--- a/subprojects/core/src/main/java/org/gradle/caching/internal/tasks/TarTaskOutputPacker.java
+++ b/subprojects/core/src/main/java/org/gradle/caching/internal/tasks/TarTaskOutputPacker.java
@@ -46,6 +46,7 @@ import org.gradle.caching.internal.tasks
 import org.gradle.internal.hash.HashCode;
 import org.gradle.internal.hash.StreamHasher;
 import org.gradle.internal.nativeplatform.filesystem.FileSystem;
+import org.gradle.wrapper.PathTraversalChecker;
 
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayOutputStream;
@@ -258,7 +259,7 @@ public class TarTaskOutputPacker impleme
         long entries = 0;
         while ((tarEntry = tarInput.getNextTarEntry()) != null) {
             ++entries;
-            String name = tarEntry.getName();
+            String name = safeEntryName(tarEntry);
 
             if (name.equals(METADATA_PATH)) {
                 // handle origin metadata
@@ -288,6 +289,14 @@ public class TarTaskOutputPacker impleme
         return new UnpackResult(originMetadata, entries, propertyFileSnapshots.build());
     }
 
+    /**
+     * Returns a safe name for the name of a tar archive entry.
+     *
+     */
+    private static String safeEntryName(TarArchiveEntry tarEntry) {
+        return PathTraversalChecker.safePathName(tarEntry.getName());
+    }
+
     private void unpackPropertyEntry(ResolvedTaskOutputFilePropertySpec propertySpec, InputStream input, TarArchiveEntry entry, String childPath, boolean missing, ImmutableMultimap.Builder<String, FileSnapshot> fileSnapshots) throws IOException {
         File propertyRoot = propertySpec.getOutputFile();
         String propertyName = propertySpec.getPropertyName();

Places

File gradle-CVE-2023-35947.patch of Package gradle.36305

Places