fix: setup security issue (#318)

elliottmurray · TrellixVulnTeam · web-flow · commit d87d54bce2ed · 2022-11-21T09:39:41.000Z
* Adding tarfile member sanitization to extractall()

* fix: flake8 issues after security pr

Co-authored-by: TrellixVulnTeam &lt;charles.mcfarland@trellix.com&gt;
diff --git a/.flake8 b/.flake8
diff --git a/MANIFEST b/MANIFEST
@@ -0,0 +1,29 @@
+# file GENERATED by distutils, do NOT edit
+CHANGELOG.md
+CONTRIBUTING.md
+LICENSE
+README.md
+RELEASING.md
+requirements_dev.txt
+setup.cfg
+setup.py
+pact/__init__.py
+pact/__version__.py
+pact/broker.py
+pact/constants.py
+pact/consumer.py
+pact/http_proxy.py
+pact/matchers.py
+pact/message_consumer.py
+pact/message_pact.py
+pact/message_provider.py
+pact/pact.py
+pact/provider.py
+pact/verifier.py
+pact/verify_wrapper.py
+pact/bin/pact-1.88.83-linux-x86.tar.gz
+pact/bin/pact-1.88.83-linux-x86_64.tar.gz
+pact/bin/pact-1.88.83-osx.tar.gz
+pact/bin/pact-1.88.83-win32.zip
+pact/cli/__init__.py
+pact/cli/verify.py
diff --git a/pact/verify_wrapper.py b/pact/verify_wrapper.py
@@ -9,6 +9,7 @@
 from os.path import isdir, join, isfile
 from os import listdir
 
+
 def capture_logs(process, verbose):
     """Capture logs from ruby process."""
     result = ''
@@ -162,14 +163,14 @@ def call_verify(
         command.extend(all_pact_urls)
         command.extend(['{}={}'.format(k, v) for k, v in options.items() if v])
 
-        if(provider_app_version):
+        if (provider_app_version):
             command.extend(["--provider-app-version",
                             provider_app_version])
 
-        if(kwargs.get('publish_verification_results', False) is True):
+        if (kwargs.get('publish_verification_results', False) is True):
             command.extend(['--publish-verification-results'])
 
-        if(kwargs.get('verbose', False) is True):
+        if (kwargs.get('verbose', False) is True):
             command.extend(['--verbose'])
 
         if enable_pending:
diff --git a/requirements_dev.txt b/requirements_dev.txt
@@ -1,17 +1,18 @@
-Click>=2.0.0
+Click>=8.1.3
 coverage==5.4
-Flask==1.1.4
+Flask==2.2.2
 configparser==3.5.0
-flake8==3.8.3
+flake8==5.0.4
 mock==3.0.5
-psutil==5.7.0
-pycodestyle==2.6.0
+psutil==5.9.4
+pycodestyle==2.9.0
 pydocstyle==4.0.1
-tox==3.14.0
+tox==3.27.1
 pytest==7.1.3
 pytest-cov==2.11.1
-requests>=2.26.0
-tox-travis==0.8
-urllib3>=1.26.5
+requests>=2.28.0
+urllib3>=1.26.12
+uvicorn>=0.19.0
 wheel==0.38.0
-markupsafe==2.0.1
+markupsafe==2.1.1
+httpx==0.23.1
diff --git a/setup.cfg b/setup.cfg
@@ -4,9 +4,10 @@ exclude_lines =
     pragma: no cover
 
 [flake8]
-max-complexity=10
-max-line-length=79
-exclude = .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.direnv
+ignore = E226,E302,E41,W503
+max-line-length = 160
+max-complexity = 12
+exclude = .git,build,dist,venv,.venv,.tox,.pytest_cache,.direnv
 
 [nosetests]
 with-coverage=true
diff --git a/setup.py b/setup.py
@@ -28,11 +28,10 @@
     exec(f.read(), about)
 
 class sdist(sdist_orig):
-    """
-    Subclass sdist so that we can download all standalone ruby applications
-    into ./pact/bin so our users receive all the binaries on pip install.
-    """
+    """Subclass sdist to download all standalone ruby applications into ./pact/bin."""
+
     def run(self):
+        """Installs the dist."""
         package_bin_path = os.path.join(os.path.dirname(__file__), 'pact', 'bin')
 
         if os.path.exists(package_bin_path):
@@ -79,12 +78,12 @@ class PactPythonInstallCommand(install):
     user_options = install.user_options + [('bin-path=', None, None)]
 
     def initialize_options(self):
-        """Load our preconfigured options"""
+        """Load our preconfigured options."""
         install.initialize_options(self)
         self.bin_path = None
 
     def finalize_options(self):
-        """Load provided CLI arguments into our options"""
+        """Load provided CLI arguments into our options."""
         install.finalize_options(self)
 
     def run(self):
@@ -124,7 +123,7 @@ def install_ruby_app(package_bin_path: str, download_bin_path=None):
 
 def ruby_app_binary():
     """
-    Determines the ruby app binary required for this OS.
+    Determine the ruby app binary required for this OS.
 
     :return A dictionary of type {'filename': string, 'version': string, 'suffix': string }
     """
@@ -151,7 +150,7 @@ def ruby_app_binary():
 
 def download_ruby_app_binary(path_to_download_to, filename, suffix):
     """
-    Downloads `binary` into `path_to_download_to`.
+    Download `binary` into `path_to_download_to`.
 
     :param path_to_download_to: The path where binaries should be downloaded.
     :param filename: The filename that should be installed.
@@ -177,7 +176,7 @@ def download_ruby_app_binary(path_to_download_to, filename, suffix):
 
 def extract_ruby_app_binary(source, destination, binary):
     """
-    Extracts the ruby app binary from `source` into `destination`.
+    Extract the ruby app binary from `source` into `destination`.
 
     :param source: The location of the binary to unarchive.
     :param destination: The location to unarchive to.
@@ -189,8 +188,25 @@ def extract_ruby_app_binary(source, destination, binary):
             f.extractall(destination)
     else:
         with tarfile.open(path) as f:
-            f.extractall(destination)
+            def is_within_directory(directory, target):
+
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                return prefix == abs_directory
+
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+
+                tar.extractall(path, members, numeric_owner=numeric_owner)
 
+            safe_extract(f, destination)
 
 def read(filename):
     """Read file contents."""
@@ -200,13 +216,14 @@ def read(filename):
 
 
 dependencies = [
-    'click>=2.0.0',
-    'psutil>=2.0.0',
-    'requests>=2.26.0',
-    'six>=1.9.0',
+    'click>=8.1.3',
+    'psutil>=5.9.4',
+    'requests>=2.28.0',
+    'six>=1.16.0',
     'fastapi>=0.67.0',
-    'urllib3>=1.26.5',
-    'uvicorn>=0.14.0'
+    'urllib3>=1.26.12',
+    'uvicorn>=0.19.0',
+    'httpx==0.23.1'
 ]
 
 if __name__ == '__main__':
diff --git a/tox.ini b/tox.ini
@@ -4,5 +4,5 @@ envlist=py{36,37,38,39,310}-{test,install}
 deps=
     test: -rrequirements_dev.txt
 commands=
-	test: pytest --cov pact tests 
-	install: python -c "import pact"
+	test: pytest --cov pact tests
+	install: python -c "import pact"
