Adding tarfile member sanitization to extractall() (#1593)

TrellixVulnTeam · web-flow · commit ce0e0a21c23d · 2022-12-15T19:28:51.000-05:00
diff --git a/scripts/datasets/general_nlp_benchmark/prepare_text_classification.py b/scripts/datasets/general_nlp_benchmark/prepare_text_classification.py
@@ -53,7 +53,26 @@ def main(args):
         sha1_hash = _URL_FILE_STATS[file_url]
         download_path = download(file_url, args.cache_path, sha1_hash=sha1_hash)
         with tarfile.open(download_path) as f:
-            f.extractall(task_dir_path)
+            def is_within_directory(directory, target):
+                
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+            
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                
+                return prefix == abs_directory
+            
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+            
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+            
+                tar.extractall(path, members, numeric_owner=numeric_owner) 
+                
+            
+            safe_extract(f, task_dir_path)
         if task == 'imdb':
             shutil.move(os.path.join(task_dir_path, 'imdb', 'train.parquet'),
                         os.path.join(task_dir_path, 'train.parquet'))
diff --git a/scripts/datasets/music_generation/prepare_music_midi.py b/scripts/datasets/music_generation/prepare_music_midi.py
@@ -74,16 +74,92 @@ def main(args):
                                                     save_dir))
     if args.dataset == 'lmd_full':
         with tarfile.open(target_download_location) as f:
-            f.extractall(save_dir)
+            def is_within_directory(directory, target):
+                
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+            
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                
+                return prefix == abs_directory
+            
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+            
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+            
+                tar.extractall(path, members, numeric_owner=numeric_owner) 
+                
+            
+            safe_extract(f, save_dir)
     elif args.dataset == 'lmd_matched':
         with tarfile.open(target_download_location) as f:
-            f.extractall(save_dir)
+            def is_within_directory(directory, target):
+                
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+            
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                
+                return prefix == abs_directory
+            
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+            
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+            
+                tar.extractall(path, members, numeric_owner=numeric_owner) 
+                
+            
+            safe_extract(f, save_dir)
     elif args.dataset == 'lmd_aligned':
         with tarfile.open(target_download_location) as f:
-            f.extractall(save_dir)
+            def is_within_directory(directory, target):
+                
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+            
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                
+                return prefix == abs_directory
+            
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+            
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+            
+                tar.extractall(path, members, numeric_owner=numeric_owner) 
+                
+            
+            safe_extract(f, save_dir)
     elif args.dataset == 'clean_midi':
         with tarfile.open(target_download_location) as f:
-            f.extractall(save_dir)
+            def is_within_directory(directory, target):
+                
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+            
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                
+                return prefix == abs_directory
+            
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+            
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+            
+                tar.extractall(path, members, numeric_owner=numeric_owner) 
+                
+            
+            safe_extract(f, save_dir)
     elif args.dataset == 'maestro_v1':
         with zipfile.ZipFile(target_download_location, 'r') as fobj:
             fobj.extractall(save_dir)
