Opened 2 months ago

Last modified 7 weeks ago

#36588 assigned Cleanup/optimization

Harden `django.utils.archive` against decompression bombs

Reported by: Natalia Bidart Owned by: Marcelo Elizeche Landó
Component: Utilities Version: dev
Severity: Normal Keywords: archive
Cc: Jake Howard Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

The django.utils.archive module is an internal utility used by startapp and startproject when the --template option is provided. The current implementation does not impose limits on extracted file size, file count, or decompression time. This makes it possible for a crafted archive to consume excessive resources.

Thanks to "junfuchong (chongfujun)" for the report.

This is not considered a security issue under Django's policy because:

  • The module is undocumented and only used in local development commands.
  • Our policy excludes issues that affect only local dev, and these commands are not intended to run on untrusted archives in production.

Still, adding safeguards (such as maximum size or file count limits) would make the code more robust and user-friendly. This ticket tracks such hardening work after a conversation held within the Security Team.

Change History (7)

comment:1 by Natalia Bidart, 2 months ago

Cc: Jake Howard added

Jake Howard said:

  • This also highlights that we should probably document this explicitly. If it's come up before, it's going to come up again. Getting some agreement for how local development only vulnerabilities are classed will help avoid a lot of future confusion. I'd suggest we put a warning on the --template argument about using untrusted templates, not only for extraction issues, but also because if they contain bad practices or backdoors, the new project would contain them too.
  • Python's built-ins have come a long way since this module was created, and we could defer a lot of this work upstream. zipfile is probably safe as-is at least for our use case, and tarfile has extraction filters since 3.12 to mitigate much of the weirdness. We might even be able to use shutil.unpack_archive entirely (more investigation needed).

comment:2 by Tim Graham, 2 months ago

Triage Stage: UnreviewedAccepted

comment:3 by Jake Howard, 2 months ago

I've opened a PR to add the security warning to --template, which is separate from the hardening.

Last edited 2 months ago by Jacob Walls (previous) (diff)

comment:4 by nessita <124304+nessita@…>, 2 months ago

In 4e7a991c:

Refs #36588 -- Warned about using external templates in startapp/startproject commands.

Clarified that custom templates provided via --template for starapp
and startproject are used as-is, adding a warning that malicious or
poorly constructed templates may introduce security issues.

comment:5 by Natalia <124304+nessita@…>, 2 months ago

In fbced43:

[5.2.x] Refs #36588 -- Warned about using external templates in startapp/startproject commands.

Clarified that custom templates provided via --template for starapp
and startproject are used as-is, adding a warning that malicious or
poorly constructed templates may introduce security issues.

Backport of 4e7a991c12a113229e0927974d3bf94ea04eecf6 from main.

comment:6 by Marcelo Elizeche Landó, 8 weeks ago

Has patch: set
Owner: set to Marcelo Elizeche Landó
Status: newassigned

PR

comment:7 by Jacob Walls, 7 weeks ago

Patch needs improvement: set
Note: See TracTickets for help on using tickets.
Back to Top