Understand the path traversal bug in Python’s tarfile module
Recently, a team of security researchers announced their finding of a fifteen year old bug in Python’s tar file extraction functionality. The vulnerability was first disclosed in 2007 and tracked as CVE-2007-4559. A note was added to the official Python documentation, but the bug itself was left unpatched.
This vulnerability could impact thousands of software projects yet many people are unfamiliar with the situation or how to handle it. That’s why, here at Secure Code Warrior, we’re giving you the opportunity to simulate exploiting this vulnerability yourself to see the impact first-hand and get some hands-on experience in the mechanics of this persistent bug, so you can better protect your application!
Try the simulated Mission now.
The vulnerability: path traversal during tar file extraction
Path or directory traversal happens when unsanitized user input is used to construct a file path, allowing an attacker to gain access to and overwrite files, and even execute arbitrary code.
The vulnerability exists in Python’s tarfile module. A tar (tape archive) file is a single file, called an archive. It packages together multiple files along with their metadata, and is usually recognized by having the .tar.gz or .tgz extension. Each member in the archive can be represented by a TarInfo object, which contains metadata, such as the file name, modification time, ownership, and more.
The risk arrises from the archives ability to be extracted again.
When being extracted, every member needs a path to be written to. This location is created by joining the base path with the file name:
Once this path is created, it’s passed on to the tarfile.extract or tarfile.extractall functions to perform the extraction:
The issue here is the lack of sanitization of the filename. An attacker could rename files to include path traversal characters, such as dot dot slash (../), which would cause the file to traverse out of the directory it was meant to be in and overwrite arbitrary files. This could eventually lead to remote code execution, which is ripe for exploitation.
The vulnerability appears throughout other scenarios, if you know how to identify it. In addition to Python’s handling of tar files, the vulnerability exists in the extraction of zip files. You may be familiar with this under another name, such as the zip slip vulnerability, which has manifested itself in languages other than Python!
How can you mitigate risk?
Despite the vulnerability being known for years, the Python maintainers consider the extraction functionality to be doing what it’s supposed to do. In this case, some may say “it’s a feature, not a bug.” Unfortunately, developers can’t always avoid extracting tar or zip files from an unknown source. It’s up to them to sanitize the untrusted input to prevent path traversal vulnerabilities as part of secure development practices.
Want to learn more about how to write secure code and mitigate risk with Python?
Try out our Python challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding practices.
Recently, a team of security researchers announced their finding of a fifteen year old bug in Python’s tar file extraction functionality. The vulnerability was first disclosed in 2007 and tracked as CVE-2007-4559. A note was added to the official Python documentation, but the bug itself was left unpatched.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Recently, a team of security researchers announced their finding of a fifteen year old bug in Python’s tar file extraction functionality. The vulnerability was first disclosed in 2007 and tracked as CVE-2007-4559. A note was added to the official Python documentation, but the bug itself was left unpatched.
This vulnerability could impact thousands of software projects yet many people are unfamiliar with the situation or how to handle it. That’s why, here at Secure Code Warrior, we’re giving you the opportunity to simulate exploiting this vulnerability yourself to see the impact first-hand and get some hands-on experience in the mechanics of this persistent bug, so you can better protect your application!
Try the simulated Mission now.
The vulnerability: path traversal during tar file extraction
Path or directory traversal happens when unsanitized user input is used to construct a file path, allowing an attacker to gain access to and overwrite files, and even execute arbitrary code.
The vulnerability exists in Python’s tarfile module. A tar (tape archive) file is a single file, called an archive. It packages together multiple files along with their metadata, and is usually recognized by having the .tar.gz or .tgz extension. Each member in the archive can be represented by a TarInfo object, which contains metadata, such as the file name, modification time, ownership, and more.
The risk arrises from the archives ability to be extracted again.
When being extracted, every member needs a path to be written to. This location is created by joining the base path with the file name:
Once this path is created, it’s passed on to the tarfile.extract or tarfile.extractall functions to perform the extraction:
The issue here is the lack of sanitization of the filename. An attacker could rename files to include path traversal characters, such as dot dot slash (../), which would cause the file to traverse out of the directory it was meant to be in and overwrite arbitrary files. This could eventually lead to remote code execution, which is ripe for exploitation.
The vulnerability appears throughout other scenarios, if you know how to identify it. In addition to Python’s handling of tar files, the vulnerability exists in the extraction of zip files. You may be familiar with this under another name, such as the zip slip vulnerability, which has manifested itself in languages other than Python!
How can you mitigate risk?
Despite the vulnerability being known for years, the Python maintainers consider the extraction functionality to be doing what it’s supposed to do. In this case, some may say “it’s a feature, not a bug.” Unfortunately, developers can’t always avoid extracting tar or zip files from an unknown source. It’s up to them to sanitize the untrusted input to prevent path traversal vulnerabilities as part of secure development practices.
Want to learn more about how to write secure code and mitigate risk with Python?
Try out our Python challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding practices.
Recently, a team of security researchers announced their finding of a fifteen year old bug in Python’s tar file extraction functionality. The vulnerability was first disclosed in 2007 and tracked as CVE-2007-4559. A note was added to the official Python documentation, but the bug itself was left unpatched.
This vulnerability could impact thousands of software projects yet many people are unfamiliar with the situation or how to handle it. That’s why, here at Secure Code Warrior, we’re giving you the opportunity to simulate exploiting this vulnerability yourself to see the impact first-hand and get some hands-on experience in the mechanics of this persistent bug, so you can better protect your application!
Try the simulated Mission now.
The vulnerability: path traversal during tar file extraction
Path or directory traversal happens when unsanitized user input is used to construct a file path, allowing an attacker to gain access to and overwrite files, and even execute arbitrary code.
The vulnerability exists in Python’s tarfile module. A tar (tape archive) file is a single file, called an archive. It packages together multiple files along with their metadata, and is usually recognized by having the .tar.gz or .tgz extension. Each member in the archive can be represented by a TarInfo object, which contains metadata, such as the file name, modification time, ownership, and more.
The risk arrises from the archives ability to be extracted again.
When being extracted, every member needs a path to be written to. This location is created by joining the base path with the file name:
Once this path is created, it’s passed on to the tarfile.extract or tarfile.extractall functions to perform the extraction:
The issue here is the lack of sanitization of the filename. An attacker could rename files to include path traversal characters, such as dot dot slash (../), which would cause the file to traverse out of the directory it was meant to be in and overwrite arbitrary files. This could eventually lead to remote code execution, which is ripe for exploitation.
The vulnerability appears throughout other scenarios, if you know how to identify it. In addition to Python’s handling of tar files, the vulnerability exists in the extraction of zip files. You may be familiar with this under another name, such as the zip slip vulnerability, which has manifested itself in languages other than Python!
How can you mitigate risk?
Despite the vulnerability being known for years, the Python maintainers consider the extraction functionality to be doing what it’s supposed to do. In this case, some may say “it’s a feature, not a bug.” Unfortunately, developers can’t always avoid extracting tar or zip files from an unknown source. It’s up to them to sanitize the untrusted input to prevent path traversal vulnerabilities as part of secure development practices.
Want to learn more about how to write secure code and mitigate risk with Python?
Try out our Python challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding practices.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Recently, a team of security researchers announced their finding of a fifteen year old bug in Python’s tar file extraction functionality. The vulnerability was first disclosed in 2007 and tracked as CVE-2007-4559. A note was added to the official Python documentation, but the bug itself was left unpatched.
This vulnerability could impact thousands of software projects yet many people are unfamiliar with the situation or how to handle it. That’s why, here at Secure Code Warrior, we’re giving you the opportunity to simulate exploiting this vulnerability yourself to see the impact first-hand and get some hands-on experience in the mechanics of this persistent bug, so you can better protect your application!
Try the simulated Mission now.
The vulnerability: path traversal during tar file extraction
Path or directory traversal happens when unsanitized user input is used to construct a file path, allowing an attacker to gain access to and overwrite files, and even execute arbitrary code.
The vulnerability exists in Python’s tarfile module. A tar (tape archive) file is a single file, called an archive. It packages together multiple files along with their metadata, and is usually recognized by having the .tar.gz or .tgz extension. Each member in the archive can be represented by a TarInfo object, which contains metadata, such as the file name, modification time, ownership, and more.
The risk arrises from the archives ability to be extracted again.
When being extracted, every member needs a path to be written to. This location is created by joining the base path with the file name:
Once this path is created, it’s passed on to the tarfile.extract or tarfile.extractall functions to perform the extraction:
The issue here is the lack of sanitization of the filename. An attacker could rename files to include path traversal characters, such as dot dot slash (../), which would cause the file to traverse out of the directory it was meant to be in and overwrite arbitrary files. This could eventually lead to remote code execution, which is ripe for exploitation.
The vulnerability appears throughout other scenarios, if you know how to identify it. In addition to Python’s handling of tar files, the vulnerability exists in the extraction of zip files. You may be familiar with this under another name, such as the zip slip vulnerability, which has manifested itself in languages other than Python!
How can you mitigate risk?
Despite the vulnerability being known for years, the Python maintainers consider the extraction functionality to be doing what it’s supposed to do. In this case, some may say “it’s a feature, not a bug.” Unfortunately, developers can’t always avoid extracting tar or zip files from an unknown source. It’s up to them to sanitize the untrusted input to prevent path traversal vulnerabilities as part of secure development practices.
Want to learn more about how to write secure code and mitigate risk with Python?
Try out our Python challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding practices.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
