Python Arbitrary File Write Prevention: The Tarbomb

What is a “Tarbomb” attack and how can you protect your python applications?

⚠️This code in this post is meant for education purposes ONLY! f you don’t own or have explicit permission to do penetration testing against an application, DO NOT USE THIS CODE⚠️

What is a Tarbomb?

A tarbomb can actually be a few different things. One common definition is similar to the XML bomb we looked at previously which expands from a small file into a very large object in memory, in this case the tar archive contains many, many files which flood the file system when extracted. However, we’ll actually be looking at an alternative type of tarbomb which can be a bit more malicious rather than just annoying.

Our tarbomb will will be constructed by adding files to the tarballs which are outside of the current directory, by utilizing relative paths. There are also variants of this attack which use absolute paths or symlinks to accomplish the same goal, which is file creation/overwrite in a directory they should not have access to.

As an example of how this could work, imagine you’re on your MacBook trying to open a file you just downloaded from your email, accounts_2020_06.tar.gz. From your downloads folder, you…