From 21545f0ca353cc4bf05798d64964441c532e69e3 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam <112716341+TrellixVulnTeam@users.noreply.github.com> Date: Mon, 17 Oct 2022 06:47:47 -0500 Subject: [PATCH] Adding tarfile member sanitization to extractall() (#2061) --- .../ernievil2/transformers/file_utils.py | 21 ++++++++++++++++++- .../MidAutumnPoetry/model/file_utils.py | 21 ++++++++++++++++++- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/modules/image/text_to_image/disco_diffusion_ernievil_base/vit_b_16x/ernievil2/transformers/file_utils.py b/modules/image/text_to_image/disco_diffusion_ernievil_base/vit_b_16x/ernievil2/transformers/file_utils.py index bead1f2c..0d39f723 100755 --- a/modules/image/text_to_image/disco_diffusion_ernievil_base/vit_b_16x/ernievil2/transformers/file_utils.py +++ b/modules/image/text_to_image/disco_diffusion_ernievil_base/vit_b_16x/ernievil2/transformers/file_utils.py @@ -47,7 +47,26 @@ def _fetch_from_remote(url, force_download=False, cached_dir='~/.paddle-ernie-ca f.flush() log.debug('extacting... to %s' % tmpfile) with tarfile.open(tmpfile.as_posix()) as tf: - tf.extractall(path=str(cached_dir_model)) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf, path=str(cached_dir_model)) donefile.touch() os.remove(tmpfile.as_posix()) diff --git a/modules/text/text_generation/reading_pictures_writing_poems_for_midautumn/MidAutumnPoetry/model/file_utils.py b/modules/text/text_generation/reading_pictures_writing_poems_for_midautumn/MidAutumnPoetry/model/file_utils.py index 608be4ef..1ba17701 100644 --- a/modules/text/text_generation/reading_pictures_writing_poems_for_midautumn/MidAutumnPoetry/model/file_utils.py +++ b/modules/text/text_generation/reading_pictures_writing_poems_for_midautumn/MidAutumnPoetry/model/file_utils.py @@ -33,7 +33,26 @@ def _fetch_from_remote(url, force_download=False): f.flush() logger.debug('extacting... to %s' % f.name) with tarfile.open(f.name) as tf: - tf.extractall(path=cached_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf, path=cached_dir) logger.debug('%s cached in %s' % (url, cached_dir)) return cached_dir -- GitLab