trailofbits.generic.tar-insecure-flags.tar-insecure-flags

trailofbits

Author

unknown

Download Count*

CC BY-NC-SA 4.0

License

Found tar command using insecure flags

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: tar-insecure-flags
    message: Found `tar` command using insecure flags
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-73: External Control of File Name or Path"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://man7.org/linux/man-pages/man1/tar.1.html
      license: AGPL-3.0 license
      vulnerability_class:
        - Path Traversal
    options:
      generic_ellipsis_max_span: 0
    pattern-either:
      - pattern: "tar ... -P "
      - pattern: tar ... --absolute-paths
      - pattern: tar ... --absolute-names
      - pattern: "tar ... --passphrase "

Examples

tar-insecure-flags.sh

#!/bin/bash

# ruleid: tar-insecure-flags
tar -xvf --absolute-paths archive.tar

# ruleid: tar-insecure-flags
tar -xvf -P archive.tar

# ok: tar-insecure-flags
tar -xvf --Psomeotherflag archive.tar

# ok: tar-insecure-flags
tar -xvf archive.tar

# Unbounded ellipsis span in pattern wraps to next command in some scenarios
# ok: tar-insecure-flags
wget https://git.kernel.org/torvalds/t/linux-6.8-rc1.tar.gz -O - | tar -xz -C / && mv linux-6.8-rc1 linux

# This shouldn't match, but the ellipsis wrap picks up the p flag in this command and associates it with the previous command
wget https://github.com/trailofbits/semgrep-rules -P /ToB/

Short Link: https://sg.run/X5RyN