From f00bc42b10c878376014bf2574b6ddffe7129557 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Thu, 15 Dec 2022 02:05:44 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- .../data/download_cifar10.py | 21 ++++++++++++++++++- examples/cnn/data/download_cifar10.py | 21 ++++++++++++++++++- examples/cpp/cifar10/download_data.py | 21 ++++++++++++++++++- examples/onnx/utils.py | 21 ++++++++++++++++++- examples/rnn/imdb_data.py | 21 ++++++++++++++++++- 5 files changed, 100 insertions(+), 5 deletions(-) diff --git a/examples/cifar_distributed_cnn/data/download_cifar10.py b/examples/cifar_distributed_cnn/data/download_cifar10.py index a010b2e859..4e45e37251 100644 --- a/examples/cifar_distributed_cnn/data/download_cifar10.py +++ b/examples/cifar_distributed_cnn/data/download_cifar10.py @@ -30,7 +30,26 @@ def extract_tarfile(filepath): if os.path.exists(filepath): print('The tar file does exist. Extracting it now..') with tarfile.open(filepath, 'r') as f: - f.extractall('/tmp/') + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, "/tmp/") print('Finished!') sys.exit(0) diff --git a/examples/cnn/data/download_cifar10.py b/examples/cnn/data/download_cifar10.py index a010b2e859..4e45e37251 100755 --- a/examples/cnn/data/download_cifar10.py +++ b/examples/cnn/data/download_cifar10.py @@ -30,7 +30,26 @@ def extract_tarfile(filepath): if os.path.exists(filepath): print('The tar file does exist. Extracting it now..') with tarfile.open(filepath, 'r') as f: - f.extractall('/tmp/') + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, "/tmp/") print('Finished!') sys.exit(0) diff --git a/examples/cpp/cifar10/download_data.py b/examples/cpp/cifar10/download_data.py index a0b73c5212..c7e9f0afd2 100755 --- a/examples/cpp/cifar10/download_data.py +++ b/examples/cpp/cifar10/download_data.py @@ -31,7 +31,26 @@ def extract_tarfile(filepath): if os.path.exists(filepath): print('The tar file does exist. Extracting it now..') with tarfile.open(filepath, 'r') as f: - f.extractall('.') + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, ".") print('Finished!') sys.exit(0) diff --git a/examples/onnx/utils.py b/examples/onnx/utils.py index b8f7b3473d..9deb4d0b6a 100644 --- a/examples/onnx/utils.py +++ b/examples/onnx/utils.py @@ -28,7 +28,26 @@ def download_model(url): download_dir = '/tmp/' with tarfile.open(check_exist_or_download(url), 'r') as t: - t.extractall(path=download_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(t, path=download_dir) def load_dataset(test_data_dir): diff --git a/examples/rnn/imdb_data.py b/examples/rnn/imdb_data.py index 973f9e5bfb..129142c012 100644 --- a/examples/rnn/imdb_data.py +++ b/examples/rnn/imdb_data.py @@ -108,7 +108,26 @@ def unzip_data(download_dir, data_gz): if not os.path.exists(data_dir): print("extracting %s to %s" % (download_dir, data_dir)) with tarfile.open(data_gz) as tar: - tar.extractall(download_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, download_dir) return data_dir