Merge pull request #490 from bigbio/dev

minor bug fixed.

Author: ypriverol

pmultiqc/modules/common/file_utils.py

@@ -53,14 +53,28 @@ def extract_zip(file_path: str, extract_to: str) -> None:
     max_size = 10 * 1024 * 1024 * 1024  # 10GB limit
 
     with zipfile.ZipFile(file_path, "r") as zip_ref:
+        # Get absolute path of extract_to for proper comparison
+        extract_to_abs = os.path.abspath(extract_to)
+
         # Security: Check for path traversal in zip entries
         for member in zip_ref.namelist():
-            # Normalize the path and check for path traversal attempts
-            member_path = os.path.normpath(os.path.join(extract_to, member))
-            if not member_path.startswith(os.path.abspath(extract_to)):
-                raise ValueError(f"Attempted path traversal in zip file: {member}")
-            if ".." in member or member.startswith("/"):
+            # Check for explicit path traversal attempts (../ or ..\ patterns)
+            # Allow filenames containing ".." as a substring (e.g., "file..name.txt")
+            if "../" in member or "..\\" in member or member.startswith("../") or member.startswith("..\\"):
                 raise ValueError(f"Invalid path in zip file: {member}")
+            # Check for absolute paths
+            if member.startswith("/") or (os.name == "nt" and len(member) > 1 and member[1] == ":"):
+                raise ValueError(f"Invalid path in zip file: {member}")
+
+            # Normalize the member path (remove leading slashes and normalize)
+            member_normalized = os.path.normpath(member.lstrip("/"))
+
+            # Join with extract_to and normalize to get the full path
+            member_path = os.path.normpath(os.path.join(extract_to_abs, member_normalized))
+
+            # Check if the resolved path is within extract_to directory
+            if not member_path.startswith(extract_to_abs + os.sep) and member_path != extract_to_abs:
+                raise ValueError(f"Attempted path traversal in zip file: {member}")
 
         # Security: Check for zip bombs
         total_uncompressed_size = sum(info.file_size for info in zip_ref.infolist())
@@ -83,14 +97,28 @@ def extract_gz(file_path: str, extract_to: str) -> None:
 def extract_tar(file_path: str, extract_to: str) -> None:
     """Extract a tar file with security checks against path traversal."""
     with tarfile.open(file_path, "r:*") as tar_ref:
+        # Get absolute path of extract_to for proper comparison
+        extract_to_abs = os.path.abspath(extract_to)
+
         # Security: Check for path traversal in tar entries
         for member in tar_ref.getmembers():
-            # Normalize the path and check for path traversal attempts
-            member_path = os.path.normpath(os.path.join(extract_to, member.name))
-            if not member_path.startswith(os.path.abspath(extract_to)):
-                raise ValueError(f"Attempted path traversal in tar file: {member.name}")
-            if ".." in member.name or member.name.startswith("/"):
+            # Check for explicit path traversal attempts (../ or ..\ patterns)
+            # Allow filenames containing ".." as a substring (e.g., "file..name.txt")
+            if "../" in member.name or "..\\" in member.name or member.name.startswith("../") or member.name.startswith("..\\"):
                 raise ValueError(f"Invalid path in tar file: {member.name}")
+            # Check for absolute paths
+            if member.name.startswith("/") or (os.name == "nt" and len(member.name) > 1 and member.name[1] == ":"):
+                raise ValueError(f"Invalid path in tar file: {member.name}")
+
+            # Normalize the member path (remove leading slashes and normalize)
+            member_normalized = os.path.normpath(member.name.lstrip("/"))
+
+            # Join with extract_to and normalize to get the full path
+            member_path = os.path.normpath(os.path.join(extract_to_abs, member_normalized))
+
+            # Check if the resolved path is within extract_to directory
+            if not member_path.startswith(extract_to_abs + os.sep) and member_path != extract_to_abs:
+                raise ValueError(f"Attempted path traversal in tar file: {member.name}")
 
         tar_ref.extractall(extract_to)
         log.info(f"Extracted {file_path} to {extract_to}")

pmultiqc/modules/quantms/quantms.py

@@ -1619,7 +1619,7 @@ def get_unimod_modification(modifis):
             )
             table_html = (
                     table_html
-                    + """<div class="page_control"><span id="psmFirst">First Page</span><span
+                    + r"""<div class="page_control"><span id="psmFirst">First Page</span><span
             id="psmPre"> Previous Page</span><span id="psmNext">Next Page </span><span id="psmLast">Last
             Page</span><span id="psmPageNum"></span>Page/Total <span id="psmTotalPage"></span>Pages <input
             type="number" name="" id="psm_page" class="page" value="" oninput="this.value=this.value.replace(/\D/g);"
@@ -1802,7 +1802,7 @@ def get_spectrum_count_across_rep(condition_count_dict: dict):
             )
             table_html = (
                     table_html
-                    + """<div class="page_control"><span id="protFirst">First Page</span><span
+                    + r"""<div class="page_control"><span id="protFirst">First Page</span><span
             id="protPre"> Previous Page</span><span id="protNext">Next Page </span><span id="protLast">Last
             Page</span><span id="protPageNum"></span>Page/Total <span id="protTotalPage"></span>Pages <input
             type="number" name="" id="prot_page" class="page" value="" oninput="this.value=this.value.replace(/\D/g);"