change the default behavior of archive extraction

Pass the `SECURE_NODOTDOT`, `SECURE_NOABSOLUTEPATHS` and `SECURE_SYMLINKS` flags to libarchive by default, unless the current directory is the root.

Author: Changaco

libarchive/extract.py

@@ -1,5 +1,6 @@
 from contextlib import contextmanager
 from ctypes import byref, c_longlong, c_size_t, c_void_p
+import os
 
 from .ffi import (
     write_disk_new, write_disk_set_options, write_free, write_header,
@@ -27,6 +28,12 @@
 EXTRACT_SECURE_NOABSOLUTEPATHS = 0x10000
 EXTRACT_CLEAR_NOCHANGE_FFLAGS = 0x20000
 
+PREVENT_ESCAPE = (
+    EXTRACT_SECURE_NOABSOLUTEPATHS |
+    EXTRACT_SECURE_NODOTDOT |
+    EXTRACT_SECURE_SYMLINKS
+)
+
 
 @contextmanager
 def new_archive_write_disk(flags):
@@ -38,9 +45,16 @@ def new_archive_write_disk(flags):
         write_free(archive_p)
 
 
-def extract_entries(entries, flags=0):
+def extract_entries(entries, flags=None):
     """Extracts the given archive entries into the current directory.
     """
+    if flags is None:
+        if os.getcwd() == '/':
+            # If the current directory is the root, then trying to prevent
+            # escaping is probably undesirable.
+            flags = 0
+        else:
+            flags = PREVENT_ESCAPE
     buff, size, offset = c_void_p(), c_size_t(), c_longlong()
     buff_p, size_p, offset_p = byref(buff), byref(size), byref(offset)
     with new_archive_write_disk(flags) as write_p:
@@ -55,20 +69,20 @@ def extract_entries(entries, flags=0):
             write_finish_entry(write_p)
 
 
-def extract_fd(fd, flags=0):
+def extract_fd(fd, flags=None):
     """Extracts an archive from a file descriptor into the current directory.
     """
     with fd_reader(fd) as archive:
         extract_entries(archive, flags)
 
 
-def extract_file(filepath, flags=0):
+def extract_file(filepath, flags=None):
     """Extracts an archive from a file into the current directory."""
     with file_reader(filepath) as archive:
         extract_entries(archive, flags)
 
 
-def extract_memory(buffer_, flags=0):
+def extract_memory(buffer_, flags=None):
     """Extracts an archive from memory into the current directory."""
     with memory_reader(buffer_) as archive:
         extract_entries(archive, flags)

tests/test_security_flags.py

@@ -3,35 +3,34 @@
 import pytest
 import os
 
-from libarchive import extract_file
-from libarchive.ffi import version_number
+from libarchive import extract_file, file_reader
 from libarchive.extract import (
     EXTRACT_SECURE_NOABSOLUTEPATHS, EXTRACT_SECURE_NODOTDOT,
 )
 from libarchive.exception import ArchiveError
 from . import data_dir
 
 
-def run_test(flag, filename):
+def run_test(flags):
     archive_path = os.path.join(data_dir, 'flags.tar')
     try:
-        extract_file(archive_path)
+        extract_file(archive_path, 0)
         with pytest.raises(ArchiveError):
-            extract_file(archive_path, flag)
+            extract_file(archive_path, flags)
     finally:
-        if os.path.exists(filename):
-            os.remove(filename)
+        with file_reader(archive_path) as archive:
+            for entry in archive:
+                if os.path.exists(entry.pathname):
+                    os.remove(entry.pathname)
 
 
-def test_no_dot_dot():
-    run_test(EXTRACT_SECURE_NODOTDOT, '../python-libarchive-c-test-dot-dot-file')
+def test_extraction_is_secure_by_default():
+    run_test(None)
 
 
-def test_absolute():
-    # EXTRACT_SECURE_NOABSOLUTEPATHS was only added in 3.1.900
-    # 3.1.900 -> 3001009
-    if version_number() >= 3001009:
-        run_test(
-            EXTRACT_SECURE_NOABSOLUTEPATHS,
-            '/tmp/python-libarchive-c-test-absolute-file'
-        )
+def test_explicit_no_dot_dot():
+    run_test(EXTRACT_SECURE_NODOTDOT)
+
+
+def test_explicit_no_absolute_paths():
+    run_test(EXTRACT_SECURE_NOABSOLUTEPATHS)