You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@buildstream.apache.org by tv...@apache.org on 2022/11/27 05:21:14 UTC
[buildstream-plugins] 01/01: Adding tarfile member sanitization to extractall()
This is an automated email from the ASF dual-hosted git repository.
tvb pushed a commit to branch tristan/CVE-2007-4559
in repository https://gitbox.apache.org/repos/asf/buildstream-plugins.git
commit 64edf7129ff6ca21b834e32b681c9f1a12e42ef8
Author: TrellixVulnTeam <ch...@trellix.com>
AuthorDate: Fri Nov 25 01:05:52 2022 +0000
Adding tarfile member sanitization to extractall()
---
src/buildstream_plugins/sources/cargo.py | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/buildstream_plugins/sources/cargo.py b/src/buildstream_plugins/sources/cargo.py
index e04af98..61c89fc 100644
--- a/src/buildstream_plugins/sources/cargo.py
+++ b/src/buildstream_plugins/sources/cargo.py
@@ -148,7 +148,25 @@ class Crate(SourceFetcher):
try:
mirror_file = self._get_mirror_file()
with tarfile.open(mirror_file) as tar:
- tar.extractall(path=directory)
+
+ def is_within_directory(directory, target):
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+ prefix = os.path.commonprefix([abs_directory, abs_target])
+
+ return prefix == abs_directory
+
+ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+ for member in tar.getmembers():
+ member_path = os.path.join(path, member.name)
+ if not is_within_directory(path, member_path):
+ raise Exception("Attempted Path Traversal in Tar File")
+
+ tar.extractall(path, members, numeric_owner=numeric_owner)
+
+ safe_extract(tar, path=directory)
members = tar.getmembers()
if members: