mirror of
https://github.com/vector-im/element-web.git
synced 2024-11-26 02:18:25 +08:00
Adding tarfile member sanitization to extractall() (#23906)
Co-authored-by: Šimon Brandner <simon.bra.ag@gmail.com> Co-authored-by: TrellixVulnTeam <charles.mcfarland@trellix.com>
This commit is contained in:
parent
2cf4c5a26f
commit
7defcf3957
@ -98,7 +98,24 @@ class Deployer:
|
|||||||
|
|
||||||
try:
|
try:
|
||||||
with tarfile.open(tarball) as tar:
|
with tarfile.open(tarball) as tar:
|
||||||
tar.extractall(extract_path)
|
def is_within_directory(directory, target):
|
||||||
|
abs_directory = os.path.abspath(directory)
|
||||||
|
abs_target = os.path.abspath(target)
|
||||||
|
|
||||||
|
prefix = os.path.commonprefix([abs_directory, abs_target])
|
||||||
|
|
||||||
|
return prefix == abs_directory
|
||||||
|
|
||||||
|
def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
|
||||||
|
for member in tar.getmembers():
|
||||||
|
member_path = os.path.join(path, member.name)
|
||||||
|
if not is_within_directory(path, member_path):
|
||||||
|
raise Exception("Attempted Path Traversal in Tar File")
|
||||||
|
|
||||||
|
tar.extractall(path, members, numeric_owner=numeric_owner)
|
||||||
|
|
||||||
|
|
||||||
|
safe_extract(tar, extract_path)
|
||||||
finally:
|
finally:
|
||||||
if self.should_clean and downloaded:
|
if self.should_clean and downloaded:
|
||||||
os.remove(tarball)
|
os.remove(tarball)
|
||||||
|
Loading…
Reference in New Issue
Block a user