From 47aa756c5e9af28e1c76d303ab6eb7999585728c Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Sun, 16 Oct 2022 23:40:31 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- venv/Lib/site-packages/d2lzh/utils.py | 42 ++++++++++++++++++- .../mxnet/contrib/text/embedding.py | 21 +++++++++- .../mxnet/gluon/data/vision/datasets.py | 21 +++++++++- .../pygments/lexers/_php_builtins.py | 21 +++++++++- 4 files changed, 100 insertions(+), 5 deletions(-) diff --git a/venv/Lib/site-packages/d2lzh/utils.py b/venv/Lib/site-packages/d2lzh/utils.py index fc53903..b227aa4 100644 --- a/venv/Lib/site-packages/d2lzh/utils.py +++ b/venv/Lib/site-packages/d2lzh/utils.py @@ -122,7 +122,26 @@ def download_imdb(data_dir='../data'): sha1 = '01ada507287d82875905620988597833ad4e0903' fname = gutils.download(url, data_dir, sha1_hash=sha1) with tarfile.open(fname, 'r') as f: - f.extractall(data_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, data_dir) def _download_pikachu(data_dir): @@ -143,7 +162,26 @@ def download_voc_pascal(data_dir='../data'): sha1 = '4e443f8a2eca6b1dac8a6c57641b67dd40621a49' fname = gutils.download(url, data_dir, sha1_hash=sha1) with tarfile.open(fname, 'r') as f: - f.extractall(data_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, data_dir) return voc_dir diff --git a/venv/Lib/site-packages/mxnet/contrib/text/embedding.py b/venv/Lib/site-packages/mxnet/contrib/text/embedding.py index b7f3fcb..68a23eb 100644 --- a/venv/Lib/site-packages/mxnet/contrib/text/embedding.py +++ b/venv/Lib/site-packages/mxnet/contrib/text/embedding.py @@ -226,7 +226,26 @@ def _get_pretrained_file(cls, embedding_root, pretrained_file_name): zf.extractall(embedding_dir) elif ext == '.gz': with tarfile.open(downloaded_file_path, 'r:gz') as tar: - tar.extractall(path=embedding_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=embedding_dir) return pretrained_file_path def _load_embedding(self, pretrained_file_path, elem_delim, init_unknown_vec, encoding='utf8'): diff --git a/venv/Lib/site-packages/mxnet/gluon/data/vision/datasets.py b/venv/Lib/site-packages/mxnet/gluon/data/vision/datasets.py index 12ef7e1..ea44ff4 100644 --- a/venv/Lib/site-packages/mxnet/gluon/data/vision/datasets.py +++ b/venv/Lib/site-packages/mxnet/gluon/data/vision/datasets.py @@ -172,7 +172,26 @@ def _get_data(self): sha1_hash=self._archive_file[1]) with tarfile.open(filename) as tar: - tar.extractall(self._root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, self._root) if self._train: data_files = self._train_data diff --git a/venv/Lib/site-packages/pygments/lexers/_php_builtins.py b/venv/Lib/site-packages/pygments/lexers/_php_builtins.py index c608400..2bf45ee 100644 --- a/venv/Lib/site-packages/pygments/lexers/_php_builtins.py +++ b/venv/Lib/site-packages/pygments/lexers/_php_builtins.py @@ -4728,7 +4728,26 @@ def get_php_functions(): def get_php_references(): download = urlretrieve(PHP_MANUAL_URL) with tarfile.open(download[0]) as tar: - tar.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar) for file in glob.glob("%s%s" % (PHP_MANUAL_DIR, PHP_REFERENCE_GLOB)): yield file os.remove(download[0])