Adding tarfile member sanitization to extractall()

2025-08-08 06:04:57 +03:00 · 2022-10-20 17:06:59 +00:00 · 2022-10-20 17:06:59 +00:00 · 0c51c2c698
commit 0c51c2c698
parent b69d249a22
1 changed files with 20 additions and 1 deletions
--- a/spacy/cli/project/remote_storage.py
+++ b/spacy/cli/project/remote_storage.py
@ -84,7 +84,26 @@ class RemoteStorage:
                with tarfile.open(tar_loc, mode=mode_string) as tar_file:
                    # This requires that the path is added correctly, relative
                    # to root. This is how we set things up in push()
-                    tar_file.extractall(self.root)
+                    def is_within_directory(directory, target):
+                        
+                        abs_directory = os.path.abspath(directory)
+                        abs_target = os.path.abspath(target)
+                    
+                        prefix = os.path.commonprefix([abs_directory, abs_target])
+                        
+                        return prefix == abs_directory
+                    
+                    def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                    
+                        for member in tar.getmembers():
+                            member_path = os.path.join(path, member.name)
+                            if not is_within_directory(path, member_path):
+                                raise Exception("Attempted Path Traversal in Tar File")
+                    
+                        tar.extractall(path, members, numeric_owner=numeric_owner) 
+                        
+                    
+                    safe_extract(tar_file, self.root)
        return url

    def find(