From e2c4dbf721aca11e8010063ef69dd1e35fd9945a Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Tue, 5 Jul 2022 15:30:10 +0200
Subject: [PATCH] Show a scary message in case of path traversal attempt

---
 libmat2/archive.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/libmat2/archive.py b/libmat2/archive.py
index 31d97a0..f90385b 100644
--- a/libmat2/archive.py
+++ b/libmat2/archive.py
@@ -193,14 +193,24 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
                 zin.extract(member=item, path=temp_folder)
                 full_path = os.path.join(temp_folder, member_name)
 
-                original_permissions = os.stat(full_path).st_mode
+                try:
+                    original_permissions = os.stat(full_path).st_mode
+                except FileNotFoundError:
+                    logging.error("Something went wrong during processing of "
+                            "%s in %s, likely a path traversal attack.",
+                            member_name, self.filename)
+                    abort = True
+                    # we're breaking instead of continuing, because this exception
+                    # is raised in case of weird path-traversal-like atttacks.
+                    break
+
                 os.chmod(full_path, original_permissions | stat.S_IWUSR | stat.S_IRUSR)
 
                 original_compression = self._get_member_compression(item)
 
                 if self._specific_cleanup(full_path) is False:
-                    logging.warning("Something went wrong during deep cleaning of %s",
-                                    member_name)
+                    logging.warning("Something went wrong during deep cleaning of %s in %s",
+                                    member_name, self.filename)
                     abort = True
                     continue
 
-- 
GitLab