Symlink Archive (TAR)

What is a Symlink Archive Attack?

A symlink archive attack exploits the way applications extract TAR archives containing symbolic link entries. When an application extracts the archive, it creates symlinks on the filesystem that point to sensitive files outside the extraction directory. Subsequent reads of those symlinks expose the contents of the target files.

How It Works

TAR natively supports symbolic links as a file type. A symlink entry in a TAR archive has two components:

  • Link name: The name of the symlink file inside the archive
  • Target: The path the symlink points to (can be absolute or relative)

When extracted, the symlink is created as-is. If the target is an absolute path like /etc/passwd, the symlink will point to that system file.

Attack Scenarios

Sensitive File Disclosure

Create a symlink pointing to /etc/passwd, /etc/shadow, or application configuration files containing credentials.

Environment Variable Leakage

Symlink to /proc/self/environ to read the process environment, which often contains API keys, database credentials, and other secrets.

Process Information Disclosure

Symlink to /proc/self/cmdline to see how the process was started, revealing configuration flags, file paths, and other operational details.

Why TAR (Not ZIP)?

TAR has first-class support for symlinks via the TypeSymlink header type. ZIP does not have a standardized symlink mechanism across platforms.

Defenses That Block This

  • Rejecting symlink entries during extraction
  • Resolving and validating symlink targets before creation
  • Extracting to sandboxed directories with restricted filesystem access
  • Using container isolation (symlinks can't escape the container filesystem)

Related CVEs

  • CVE-2018-1000001 — glibc realpath() buffer underflow (symlink related)
  • CVE-2021-21300 — Git symlink handling in checkout

References