This is an automated email from the ASF dual-hosted git repository. tvb pushed a commit to branch tristan/CVE-2007-4559 in repository https://gitbox.apache.org/repos/asf/buildstream-plugins.git
commit 64edf7129ff6ca21b834e32b681c9f1a12e42ef8 Author: TrellixVulnTeam <[email protected]> AuthorDate: Fri Nov 25 01:05:52 2022 +0000 Adding tarfile member sanitization to extractall() --- src/buildstream_plugins/sources/cargo.py | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/buildstream_plugins/sources/cargo.py b/src/buildstream_plugins/sources/cargo.py index e04af98..61c89fc 100644 --- a/src/buildstream_plugins/sources/cargo.py +++ b/src/buildstream_plugins/sources/cargo.py @@ -148,7 +148,25 @@ class Crate(SourceFetcher): try: mirror_file = self._get_mirror_file() with tarfile.open(mirror_file) as tar: - tar.extractall(path=directory) + + def is_within_directory(directory, target): + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + safe_extract(tar, path=directory) members = tar.getmembers() if members:
