Adding tarfile member sanitization to extractall() (#2061)

21545f0c · TrellixVulnTeam · GitHub · 5dd04d1b · 21545f0c · 21545f0c
2 changed file
--- a/modules/image/text_to_image/disco_diffusion_ernievil_base/vit_b_16x/ernievil2/transformers/file_utils.py
+++ b/modules/image/text_to_image/disco_diffusion_ernievil_base/vit_b_16x/ernievil2/transformers/file_utils.py
@@ -47,7 +47,26 @@ def _fetch_from_remote(url, force_download=False, cached_dir='~/.paddle-ernie-ca
                    f.flush()
            log.debug('extacting... to %s' % tmpfile)
            with tarfile.open(tmpfile.as_posix()) as tf:
-                tf.extractall(path=str(cached_dir_model))
+                def is_within_directory(directory, target):
+                    abs_directory = os.path.abspath(directory)
+                    abs_target = os.path.abspath(target)
+                    prefix = os.path.commonprefix([abs_directory, abs_target])
+                    return prefix == abs_directory
+                def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                    for member in tar.getmembers():
+                        member_path = os.path.join(path, member.name)
+                        if not is_within_directory(path, member_path):
+                            raise Exception("Attempted Path Traversal in Tar File")
+                    tar.extractall(path, members, numeric_owner=numeric_owner) 
+                safe_extract(tf, path=str(cached_dir_model))
            donefile.touch()
        os.remove(tmpfile.as_posix())

--- a/modules/text/text_generation/reading_pictures_writing_poems_for_midautumn/MidAutumnPoetry/model/file_utils.py
+++ b/modules/text/text_generation/reading_pictures_writing_poems_for_midautumn/MidAutumnPoetry/model/file_utils.py
@@ -33,7 +33,26 @@ def _fetch_from_remote(url, force_download=False):
                    f.flush()
            logger.debug('extacting... to %s' % f.name)
            with tarfile.open(f.name) as tf:
-                tf.extractall(path=cached_dir)
+                def is_within_directory(directory, target):
+                    abs_directory = os.path.abspath(directory)
+                    abs_target = os.path.abspath(target)
+                    prefix = os.path.commonprefix([abs_directory, abs_target])
+                    return prefix == abs_directory
+                def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                    for member in tar.getmembers():
+                        member_path = os.path.join(path, member.name)
+                        if not is_within_directory(path, member_path):
+                            raise Exception("Attempted Path Traversal in Tar File")
+                    tar.extractall(path, members, numeric_owner=numeric_owner) 
+                safe_extract(tf, path=cached_dir)
    logger.debug('%s cached in %s' % (url, cached_dir))
    return cached_dir