From c9827aeb01d1645b14761bded801f56a33491362 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Sat, 17 Dec 2022 21:48:11 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/node_modules/node-gyp/update-gyp.py b/node_modules/node-gyp/update-gyp.py index bb84f07..73277d8 100755 --- a/node_modules/node-gyp/update-gyp.py +++ b/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH):