nicknezis commented on code in PR #3857: URL: https://github.com/apache/incubator-heron/pull/3857#discussion_r1064254208
########## heron/tools/cli/src/python/execute.py: ########## @@ -101,8 +101,15 @@ def heron_tar(class_name, topology_tar, arguments, tmpdir_root, java_defines): ''' # Extract tar to a tmp folder. tmpdir = tempfile.mkdtemp(dir=tmpdir_root, prefix='tmp') + tmpdir_abs = os.path.abspath(tmpdir) with contextlib.closing(tarfile.open(topology_tar)) as tar: + # Validate file paths + for name in tar.getnames(): + untarpath_abs = os.path.abspath(os.path.join(tmpdir, name)) + if not untarpath_abs.startswith(tmpdir_abs): Review Comment: I updated the comment to include a the vulnerability link. I'll merge this pull request. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
