mirror of
https://github.com/vector-im/element-web.git
synced 2024-11-22 08:08:42 +08:00
Adding tarfile member sanitization to extractall() (#23906)
Co-authored-by: Šimon Brandner <simon.bra.ag@gmail.com> Co-authored-by: TrellixVulnTeam <charles.mcfarland@trellix.com>
This commit is contained in:
parent
2cf4c5a26f
commit
7defcf3957
@ -98,7 +98,24 @@ class Deployer:
|
||||
|
||||
try:
|
||||
with tarfile.open(tarball) as tar:
|
||||
tar.extractall(extract_path)
|
||||
def is_within_directory(directory, target):
|
||||
abs_directory = os.path.abspath(directory)
|
||||
abs_target = os.path.abspath(target)
|
||||
|
||||
prefix = os.path.commonprefix([abs_directory, abs_target])
|
||||
|
||||
return prefix == abs_directory
|
||||
|
||||
def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
|
||||
for member in tar.getmembers():
|
||||
member_path = os.path.join(path, member.name)
|
||||
if not is_within_directory(path, member_path):
|
||||
raise Exception("Attempted Path Traversal in Tar File")
|
||||
|
||||
tar.extractall(path, members, numeric_owner=numeric_owner)
|
||||
|
||||
|
||||
safe_extract(tar, extract_path)
|
||||
finally:
|
||||
if self.should_clean and downloaded:
|
||||
os.remove(tarball)
|
||||
|
Loading…
Reference in New Issue
Block a user