Allow extractors to report on MaliciousSymlinkRemoved
qkaiser opened this issue · 1 comments
qkaiser commented
We want to obtain visibility into malicious symlinks being removed by custom extractors through the reporting framework (MaliciousSymlinkRemoved).
We need this within the extractor because leaving unblob core to fix these symlinks is too dangerous. If the extractors do not remove or rewrite those symlinks, we're open to this attack in two steps:
- extractor creates a symlink pointing outside the extraction directory
- extractor create a file with the same name as the symlink, therefore writing to the symlink target
So we want to keep our extractors as they are, but we want to allow them to report whenever they deleted or rewrite a link.
Originally posted by @martonilles in #513 (comment)
qkaiser commented
This is covered by extract reporting ExtractResult.