Adding tarfile member sanitization to extractall() (#803)

allegroai · Oct 27, 2022 · d17903d · d17903d
1 parent b598ee5
commit d17903d
Showing 1 changed file with 40 additions and 2 deletions.
diff --git a/clearml/storage/manager.py b/clearml/storage/manager.py
@@ -165,10 +165,48 @@ def _extract_to_cache(
                 ZipFile(cached_file.as_posix()).extractall(path=temp_target_folder.as_posix())
             elif suffix == ".tar.gz":
                 with tarfile.open(cached_file.as_posix()) as file:
-                    file.extractall(temp_target_folder.as_posix())
+                    def is_within_directory(directory, target):
+
+                        abs_directory = os.path.abspath(directory)
+                        abs_target = os.path.abspath(target)
+
+                        prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                        return prefix == abs_directory
+
+                    def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                        for member in tar.getmembers():
+                            member_path = os.path.join(path, member.name)
+                            if not is_within_directory(path, member_path):
+                                raise Exception("Attempted Path Traversal in Tar File")
+
+                        tar.extractall(path, members, numeric_owner=numeric_owner) 
+
+
+                    safe_extract(file, temp_target_folder.as_posix())
             elif suffix == ".tgz":
                 with tarfile.open(cached_file.as_posix(), mode='r:gz') as file:
-                    file.extractall(temp_target_folder.as_posix())
+                    def is_within_directory(directory, target):
+
+                        abs_directory = os.path.abspath(directory)
+                        abs_target = os.path.abspath(target)
+
+                        prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                        return prefix == abs_directory
+
+                    def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                        for member in tar.getmembers():
+                            member_path = os.path.join(path, member.name)
+                            if not is_within_directory(path, member_path):
+                                raise Exception("Attempted Path Traversal in Tar File")
+
+                        tar.extractall(path, members, numeric_owner=numeric_owner) 
+
+
+                    safe_extract(file, temp_target_folder.as_posix())
 
             if temp_target_folder != target_folder:
                 # we assume we will have such folder if we already extract the file