mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Add path checking for relative/escaped tar filenames in the ansible-galaxy command
This commit is contained in:
parent
a45c3b84f3
commit
f8845af195
1 changed files with 10 additions and 2 deletions
|
@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options):
|
||||||
# verify the role's meta file
|
# verify the role's meta file
|
||||||
meta_file = None
|
meta_file = None
|
||||||
members = role_tar_file.getmembers()
|
members = role_tar_file.getmembers()
|
||||||
|
# next find the metadata file
|
||||||
for member in members:
|
for member in members:
|
||||||
if "/meta/main.yml" in member.name:
|
if "/meta/main.yml" in member.name:
|
||||||
meta_file = member
|
meta_file = member
|
||||||
|
@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options):
|
||||||
|
|
||||||
# now we do the actual extraction to the role_path
|
# now we do the actual extraction to the role_path
|
||||||
for member in members:
|
for member in members:
|
||||||
# we only extract files
|
# we only extract files, and remove any relative path
|
||||||
|
# bits that might be in the file for security purposes
|
||||||
|
# and drop the leading directory, as mentioned above
|
||||||
if member.isreg():
|
if member.isreg():
|
||||||
member.name = "/".join(member.name.split("/")[1:])
|
parts = member.name.split("/")[1:]
|
||||||
|
final_parts = []
|
||||||
|
for part in parts:
|
||||||
|
if part != '..' and '~' not in part and '$' not in part:
|
||||||
|
final_parts.append(part)
|
||||||
|
member.name = os.path.join(*final_parts)
|
||||||
role_tar_file.extract(member, role_path)
|
role_tar_file.extract(member, role_path)
|
||||||
|
|
||||||
# write out the install info file for later use
|
# write out the install info file for later use
|
||||||
|
|
Loading…
Reference in a new issue