Tar file extract can break our temporary directories
Summary
We use the tarfile module to extract archives for the tar source and the docker source in bst-external. Usually, we extract to a directory made by utils._tempdir. If the tar file contains '.', then extracting will set the permissions on that temporary directory, which may cause Buildstream to break when we try and delete it.
The cleanup function for utils._tempdir does a recursive chown on all the contents of the directory, but not the directory itself.
Steps to reproduce
This can be observed using the docker source plugin on a Red Hat 7 image (I can't provide the one I used, as it's a proprietary image). It should be easy to reproduce by making a custom tar file and importing it.
What is the current bug behavior?
Failure during staging, similar to this:
[--:--:--] START base.bst: Staging sources
[00:00:11] FAILURE base.bst: Staging sources
[00:00:11] FAILURE base.bst: Failed to remove cache directory '/Users/jmacarthur/.cache/buildstream/sources/docker/tmp72zcs15o': [Errno 13] Permission denied: 'proc'What is the expected correct behavior?
Should not see any error.
Possible fixes
Best: Stop using tarfile altogether, as it's unsafe - a malicious tarfile or docker image can overwrite the rest of the file system (see the warnings on extractall in the Python documentation).
Faster: Any of:
- Reset the permissions on a temporary directory after extracting the archive
- Filter the list of files and never extract '.'
- Get
_force_rmtreeto chmod the starting directory as well as subdirectories.