enh(backup): harden file type and name constraints on restore#3341
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Tightens backup restore behavior in motioneye.config.restore() by restricting extraction to regular files during tarball restore, aiming to reduce risk from non-file tar members.
Changes:
- Filter tar members using
TarInfo.isfile()before applying the allowed filename patterns. - Keep existing pattern-based allowlist for config-related filenames during restore.
MichaIng
force-pushed
the
enh/restore-only-regular-files
branch
from
4d7449a to
1bb928e
Compare
Once we support Python 3.12+ only, we can use `filter='data'` , which refuses to extract any kind of link, normalizes paths, skips paths pointing outside of the target dir, skips owner/mode, and more more. The `isfile()` check, however prevents extraction of any unintended file types, and the name pattern matching is hereby hardened to really only allow leading `./` segments, and no other combination of these characters, and no `/` anywhere else in the filename. This is needed since `fnmatchcase()` wildcard `*` matches `/` as well. Signed-off-by: MichaIng <micha@dietpi.com>
MichaIng
force-pushed
the
enh/restore-only-regular-files
branch
from
1bb928e to
47a40f5
Compare
MichaIng
changed the title
Agent-Logs-Url: https://github.com/motioneye-project/motioneye/sessions/8b459da4-7afa-4856-9bcb-a90554666125 Co-authored-by: MichaIng <28480705+MichaIng@users.noreply.github.com>
Agent-Logs-Url: https://github.com/motioneye-project/motioneye/sessions/8b459da4-7afa-4856-9bcb-a90554666125 Co-authored-by: MichaIng <28480705+MichaIng@users.noreply.github.com>
Member
Author
|
@copilot
Hence the loop added to extract every file individually seems to not actually add anything to security, but adds quite a lot of unnecessary processing. If so, we better keep it as it was and use |
Agent-Logs-Url: https://github.com/motioneye-project/motioneye/sessions/ed04a67e-63f2-4eec-a3d9-19121ccda194 Co-authored-by: MichaIng <28480705+MichaIng@users.noreply.github.com>
Contributor
Agreed, and adjusted in e02b162. I reverted the per-file extraction loop and switched back to |
MichaIng
commented
May 24, 2026
Agent-Logs-Url: https://github.com/motioneye-project/motioneye/sessions/00a4e7c8-9dfa-4f02-9b39-e917cebeea6a Co-authored-by: MichaIng <28480705+MichaIng@users.noreply.github.com>
Member
Author
Agent-Logs-Url: https://github.com/motioneye-project/motioneye/sessions/4839fe3b-fc5f-47e0-9706-78656db1c956 Co-authored-by: MichaIng <28480705+MichaIng@users.noreply.github.com>
Contributor
MichaIng
force-pushed
the
enh/restore-only-regular-files
branch
from
83481d2 to
4df84a0
Compare
We do not test the actual restored file or tarball member contents, hence skip this entirely to avoid confusion or false implications. Create and check multiple files and tarball members with positional arguments in a single function call, instead of multple calls, a list or dict. Move `assertIsNotNone(data)` from backup tests into the members assert function. The same for checking the restore result is not such a coding benefit, since its assert function does not currently take or need the JSON result. Instead, it is sufficient to check the expected result in a single separate test, and skip it entirely in all others, where it is about the restored files, not about the return value of the restore function. A test with `settings.ENABLE_REBOOT = True` => `{reboot: True}` could make sense though.
Signed-off-by: MichaIng <micha@dietpi.com>
MichaIng
force-pushed
the
enh/restore-only-regular-files
branch
from
4df84a0 to
437aaeb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once we support Python 3.12+ only, we can use
filter='data'instead, or additionally, which refuses to extract any kind of link, normalizes paths, skips owner/mode, and more more. With our hardcoded strict filename pattern and theisfile()check, however, all security concerns are addressed.