security(stackbackup): block symlink-target escape and decompression bombs on import

obol stack import sanitized tar entry NAMES (sanitizeEntryName) but wrote
symlinks from the raw, unchecked Linkname. A malicious archive could ship a
clean-named symlink whose target points outside the extraction root (e.g.
link -> /etc, or ../../..), then a follow-up entry written THROUGH that link
lands at an arbitrary path — arbitrary file write as the importing user. The
only guard (name sanitization) does not help: the escape happens at OS
symlink-resolution time, not lexically.

- symlinkEscapesRoot rejects absolute and ..-walking symlink targets that
  resolve outside destRoot; in-root relative links (the common case) still
  work (TestArchiveRoundTrip unchanged).
- Add a decompression-ratio guard (countingReader + ratioGuard between gzip
  and tar): aborts when uncompressed:compressed exceeds 100:1 past a 64 MiB
  floor, so a tiny gzip can no longer inflate to a disk-filling tar. The
  floor keeps legitimate multi-GB agent-data restores (low, steady ratio)
  passing; thresholds are vars so tests can lower them.
- Tests: TestExtractRejectsSymlinkEscape (relative + absolute targets, no
  link created) and TestExtractRejectsDecompressionBomb.

Found in review of #624.

Author: bussyjd

internal/stackbackup/import.go

@@ -137,12 +137,13 @@ func walkArchive(input string, fn func(*tar.Reader, *tar.Header, string) error)
 		return err
 	}
 	defer f.Close()
-	gz, err := gzip.NewReader(f)
+	counted := &countingReader{r: f}
+	gz, err := gzip.NewReader(counted)
 	if err != nil {
 		return fmt.Errorf("not a gzip archive: %w", err)
 	}
 	defer gz.Close()
-	tr := tar.NewReader(gz)
+	tr := tar.NewReader(&ratioGuard{r: gz, compressed: &counted.n})
 	for {
 		hdr, err := tr.Next()
 		if errors.Is(err, io.EOF) {

internal/stackbackup/stackbackup_test.go

@@ -234,6 +234,75 @@ func TestExtractRejectsPathTraversal(t *testing.T) {
 	}
 }
 
+// TestExtractRejectsSymlinkEscape covers the symlink variant of the traversal
+// escape: a clean entry NAME whose symlink TARGET points outside the root.
+// Without target validation, a follow-up entry written through the link would
+// land at an arbitrary path. Both a "../"-walking and an absolute target must
+// be refused, and no link may be created.
+func TestExtractRejectsSymlinkEscape(t *testing.T) {
+	for _, target := range []string{"../../../../etc/cron.d", "/etc/passwd"} {
+		archive := filepath.Join(t.TempDir(), "evil-symlink.tar.gz")
+		f, err := os.Create(archive)
+		if err != nil {
+			t.Fatal(err)
+		}
+		gz := gzip.NewWriter(f)
+		tw := tar.NewWriter(gz)
+		if err := tw.WriteHeader(&tar.Header{Name: "link", Linkname: target, Mode: 0o777, Typeflag: tar.TypeSymlink}); err != nil {
+			t.Fatal(err)
+		}
+		tw.Close()
+		gz.Close()
+		f.Close()
+
+		dest := t.TempDir()
+		err = walkArchive(archive, func(tr *tar.Reader, hdr *tar.Header, clean string) error {
+			return extractEntry(tr, hdr, dest, clean)
+		})
+		if err == nil || !strings.Contains(err.Error(), "escapes extraction root") {
+			t.Fatalf("symlink escape to %q not rejected: %v", target, err)
+		}
+		if _, err := os.Lstat(filepath.Join(dest, "link")); !os.IsNotExist(err) {
+			t.Fatalf("escaping symlink to %q must not be created: %v", target, err)
+		}
+	}
+}
+
+// TestExtractRejectsDecompressionBomb verifies the ratio guard trips on an
+// archive that inflates far beyond its compressed size. Thresholds are lowered
+// so the test stays small and fast.
+func TestExtractRejectsDecompressionBomb(t *testing.T) {
+	origFloor, origRatio := bombFloorBytes, maxCompressionRatio
+	bombFloorBytes, maxCompressionRatio = 1024, 2
+	defer func() { bombFloorBytes, maxCompressionRatio = origFloor, origRatio }()
+
+	archive := filepath.Join(t.TempDir(), "bomb.tar.gz")
+	f, err := os.Create(archive)
+	if err != nil {
+		t.Fatal(err)
+	}
+	gz := gzip.NewWriter(f)
+	tw := tar.NewWriter(gz)
+	zeros := make([]byte, 1<<20) // 1 MiB of zeros gzips to ~1 KiB -> ~1000:1
+	if err := tw.WriteHeader(&tar.Header{Name: "big", Mode: 0o600, Size: int64(len(zeros)), Typeflag: tar.TypeReg}); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := tw.Write(zeros); err != nil {
+		t.Fatal(err)
+	}
+	tw.Close()
+	gz.Close()
+	f.Close()
+
+	dest := t.TempDir()
+	err = walkArchive(archive, func(tr *tar.Reader, hdr *tar.Header, clean string) error {
+		return extractEntry(tr, hdr, dest, clean)
+	})
+	if err == nil || !strings.Contains(err.Error(), "decompression bomb") {
+		t.Fatalf("decompression bomb not rejected: %v", err)
+	}
+}
+
 func TestReadStackID(t *testing.T) {
 	dir := t.TempDir()
 	if got := readStackID(dir); got != "" {

internal/stackbackup/tar.go

@@ -165,13 +165,35 @@ func sanitizeEntryName(name string) (string, error) {
 	return clean, nil
 }
 
+// symlinkEscapesRoot reports whether a symlink placed at linkPath pointing to
+// target would resolve outside destRoot. Entry NAMES are sanitized
+// (sanitizeEntryName), but a symlink's TARGET is not — an unchecked target
+// lets a LATER entry be written THROUGH the link to an arbitrary path (the
+// classic symlink tar-extraction escape: entry "x" -> /etc, then entry
+// "x/passwd" resolves outside the root). Absolute targets and ".."-walking
+// relative targets that leave the root are rejected; in-root links (the common
+// case — a relative link to a sibling file) are allowed.
+func symlinkEscapesRoot(destRoot, linkPath, target string) bool {
+	var resolved string
+	if filepath.IsAbs(target) {
+		resolved = filepath.Clean(target)
+	} else {
+		resolved = filepath.Clean(filepath.Join(filepath.Dir(linkPath), target))
+	}
+	root := filepath.Clean(destRoot)
+	return resolved != root && !strings.HasPrefix(resolved, root+string(os.PathSeparator))
+}
+
 // extractEntry writes one tar entry under destRoot/relName.
 func extractEntry(tr *tar.Reader, hdr *tar.Header, destRoot, relName string) error {
 	dest := filepath.Join(destRoot, relName)
 	switch hdr.Typeflag {
 	case tar.TypeDir:
 		return os.MkdirAll(dest, os.FileMode(hdr.Mode)|0o700)
 	case tar.TypeSymlink:
+		if symlinkEscapesRoot(destRoot, dest, hdr.Linkname) {
+			return fmt.Errorf("symlink %q targets %q which escapes extraction root", relName, hdr.Linkname)
+		}
 		if err := os.MkdirAll(filepath.Dir(dest), 0o700); err != nil {
 			return err
 		}
@@ -194,3 +216,49 @@ func extractEntry(tr *tar.Reader, hdr *tar.Header, destRoot, relName string) err
 		return nil // ignore other entry types
 	}
 }
+
+// Decompression-bomb guard. archive/tar bounds each file read to the header
+// size, but a tiny gzip can declare (and inflate to) a disk-filling tar. The
+// guard tracks the live ratio of uncompressed bytes produced to compressed
+// bytes consumed and aborts once it is implausible. bombFloorBytes avoids
+// false positives on small, naturally high-ratio inputs; legitimate multi-GB
+// agent-data exports never sustain a ratio this high. Both are vars so tests
+// can lower them. (vars, not consts, for that reason.)
+var (
+	bombFloorBytes      int64 = 64 << 20 // ignore the ratio below this many uncompressed bytes
+	maxCompressionRatio int64 = 100      // abort above this uncompressed:compressed ratio
+)
+
+// countingReader counts the bytes read from an underlying reader (used on the
+// raw compressed stream, beneath gzip).
+type countingReader struct {
+	r io.Reader
+	n int64
+}
+
+func (c *countingReader) Read(p []byte) (int, error) {
+	n, err := c.r.Read(p)
+	c.n += int64(n)
+	return n, err
+}
+
+// ratioGuard wraps the decompressed stream and trips when the running
+// decompression ratio exceeds maxCompressionRatio past bombFloorBytes. It
+// sits between gzip and tar, so every byte the tar reader consumes — headers
+// and file bodies alike, including io.Copy in extractEntry — is accounted.
+type ratioGuard struct {
+	r            io.Reader
+	compressed   *int64 // bytes pulled from the compressed source so far
+	uncompressed int64
+}
+
+func (g *ratioGuard) Read(p []byte) (int, error) {
+	n, err := g.r.Read(p)
+	g.uncompressed += int64(n)
+	if g.uncompressed > bombFloorBytes {
+		if c := *g.compressed; c > 0 && g.uncompressed/c > maxCompressionRatio {
+			return n, fmt.Errorf("refusing archive: decompression ratio %d:1 exceeds %d:1 limit (possible decompression bomb)", g.uncompressed/c, maxCompressionRatio)
+		}
+	}
+	return n, err
+}