From beebca4bf1cd3b935824c966ce077e7bcf610385 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Tue, 5 Jul 2022 16:27:07 +0200
Subject: [PATCH] Prevent arbitrary file read via zip archives

A zip file with a file pointing to /etc/passwd would, upon being cleaned by
mat2, produce a file with the filesystem's /etc/passwd file.
---
 libmat2/archive.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libmat2/archive.py b/libmat2/archive.py
index f90385b..39fb23e 100644
--- a/libmat2/archive.py
+++ b/libmat2/archive.py
@@ -190,8 +190,14 @@ class ArchiveBasedAbstractParser(abstract.AbstractParser):
                 if member_name[-1] == '/':  # `is_dir` is added in Python3.6
                     continue  # don't keep empty folders
 
-                zin.extract(member=item, path=temp_folder)
                 full_path = os.path.join(temp_folder, member_name)
+                if not os.path.abspath(full_path).startswith(temp_folder):
+                    logging.error("%s contains a file (%s) pointing outside (%s) of its root.",
+                            self.filename, member_name, full_path)
+                    abort = True
+                    break
+
+                zin.extract(member=item, path=temp_folder)
 
                 try:
                     original_permissions = os.stat(full_path).st_mode