Skip to content

fix(cli): prevent tar path traversal in plugin install#1324

Open
kshirajahere wants to merge 1 commit intomofa-org:mainfrom
kshirajahere:fix/cli-plugin-tar-path-traversal
Open

fix(cli): prevent tar path traversal in plugin install#1324
kshirajahere wants to merge 1 commit intomofa-org:mainfrom
kshirajahere:fix/cli-plugin-tar-path-traversal

Conversation

@kshirajahere
Copy link
Contributor

@kshirajahere kshirajahere commented Mar 17, 2026
edited
Loading

Summary

Harden mofa plugin install tar extraction to prevent archive path traversal attempts from writing outside the plugin destination directory.

Related Issues

Closes #1323

Related to #461

Context

install_from_url() accepts remote .tar.gz archives and previously extracted them via tar::Archive::unpack(dest_dir). That broad extraction path does not provide explicit per-entry confinement logic in the installer and is risky in a supply-chain-sensitive code path.

This change applies explicit entry-level extraction checks so malicious archive entries cannot escape the plugin directory.

Changes

  • Replaced bulk tar extraction in extract_tar_gz() with per-entry iteration.
  • Switched to entry.unpack_in(dest_dir) for destination confinement.
  • Return a dedicated plugin error when an entry escape attempt is detected.
  • Added a regression test that builds a crafted traversal-style tar entry and verifies extraction is rejected.

How you Tested

  1. cargo fmt --package mofa-cli
  2. cargo test -p mofa-cli test_extract_tar_gz_rejects_path_traversal -- --nocapture
  3. cargo test -p mofa-cli test_install_invalid_plugin_structure

Screenshots / Logs (if applicable)

Key results:

  • test_extract_tar_gz_rejects_path_traversal ... ok
  • test_install_invalid_plugin_structure ... ok

Breaking Changes

  • No breaking changes
  • Breaking change (describe below)

Checklist

Code Quality

  • Code follows Rust idioms and project conventions
  • cargo fmt run
  • cargo clippy passes without warnings

Testing

  • Tests added/updated
  • cargo test passes locally without any error

Documentation

  • Public APIs documented
  • README / docs updated (if needed)

PR Hygiene

  • PR is small and focused (one logical change)
  • Branch is up to date with main
  • No unrelated commits
  • Commit messages explain why, not only what

Deployment Notes (if applicable)

No migration required.

Additional Notes for Reviewers

This PR intentionally limits scope to .tar.gz extraction hardening in CLI plugin install. Zip extraction already uses enclosed-name handling and is unchanged.

@kshirajahere
Copy link
Contributor Author

kshirajahere commented Mar 17, 2026

@mugiwaraluffy56 please review :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Security: harden mofa plugin install tar extraction against path traversal

1 participant

@kshirajahere