trailofbits.generic.tar-insecure-flags.tar-insecure-flags
trailofbits
Author
unknown
Download Count*
License
Found tar
command using insecure flags
Run Locally
Run in CI
Defintion
rules:
- id: tar-insecure-flags
message: Found `tar` command using insecure flags
languages:
- generic
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- shell
cwe: "CWE-73: External Control of File Name or Path"
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
references:
- https://man7.org/linux/man-pages/man1/tar.1.html
license: AGPL-3.0 license
vulnerability_class:
- Path Traversal
options:
generic_ellipsis_max_span: 0
pattern-either:
- pattern: "tar ... -P "
- pattern: tar ... --absolute-paths
- pattern: tar ... --absolute-names
- pattern: "tar ... --passphrase "
Examples
tar-insecure-flags.sh
#!/bin/bash
# ruleid: tar-insecure-flags
tar -xvf --absolute-paths archive.tar
# ruleid: tar-insecure-flags
tar -xvf -P archive.tar
# ok: tar-insecure-flags
tar -xvf --Psomeotherflag archive.tar
# ok: tar-insecure-flags
tar -xvf archive.tar
# Unbounded ellipsis span in pattern wraps to next command in some scenarios
# ok: tar-insecure-flags
wget https://git.kernel.org/torvalds/t/linux-6.8-rc1.tar.gz -O - | tar -xz -C / && mv linux-6.8-rc1 linux
# This shouldn't match, but the ellipsis wrap picks up the p flag in this command and associates it with the previous command
wget https://github.com/trailofbits/semgrep-rules -P /ToB/
Short Link: https://sg.run/X5RyN