Adding tarfile member sanitization to extractall() (#31)

TrellixVulnTeam · web-flow · commit 2572497b1405 · 2022-11-01T10:15:19.000+01:00
diff --git a/napari_cellseg3d/model_workers.py b/napari_cellseg3d/model_workers.py
@@ -140,7 +140,26 @@ def show_progress(count, block_size, total_size):
                 url, reporthook=show_progress
             )
             with tarfile.open(filename, mode="r:gz") as tar:
-                tar.extractall(pretrained_folder_path)
+                def is_within_directory(directory, target):
+                    
+                    abs_directory = os.path.abspath(directory)
+                    abs_target = os.path.abspath(target)
+                
+                    prefix = os.path.commonprefix([abs_directory, abs_target])
+                    
+                    return prefix == abs_directory
+                
+                def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                
+                    for member in tar.getmembers():
+                        member_path = os.path.join(path, member.name)
+                        if not is_within_directory(path, member_path):
+                            raise Exception("Attempted Path Traversal in Tar File")
+                
+                    tar.extractall(path, members, numeric_owner=numeric_owner) 
+                    
+                
+                safe_extract(tar, pretrained_folder_path)
         else:
             raise ValueError(
                 f"Unknown model: {model_name}. Should be one of {', '.join(neturls)}"
