From 641f3501446a4c6f816446a8c55ff7cf1f9f1046 Mon Sep 17 00:00:00 2001 From: Adriane Boyd Date: Thu, 3 Nov 2022 15:19:58 +0100 Subject: [PATCH] Simplify and add error message --- spacy/cli/project/remote_storage.py | 13 +++---------- spacy/errors.py | 2 ++ 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/spacy/cli/project/remote_storage.py b/spacy/cli/project/remote_storage.py index e65532de2..2b53fbb09 100644 --- a/spacy/cli/project/remote_storage.py +++ b/spacy/cli/project/remote_storage.py @@ -85,24 +85,17 @@ class RemoteStorage: # This requires that the path is added correctly, relative # to root. This is how we set things up in push() def is_within_directory(directory, target): - abs_directory = os.path.abspath(directory) abs_target = os.path.abspath(target) - prefix = os.path.commonprefix([abs_directory, abs_target]) - return prefix == abs_directory - def safe_extract( - tar, path=".", members=None, *, numeric_owner=False - ): - + def safe_extract(tar, path): for member in tar.getmembers(): member_path = os.path.join(path, member.name) if not is_within_directory(path, member_path): - raise Exception("Attempted Path Traversal in Tar File") - - tar.extractall(path, members, numeric_owner=numeric_owner) + raise ValueError(Errors.E852) + tar.extractall(path) safe_extract(tar_file, self.root) return url diff --git a/spacy/errors.py b/spacy/errors.py index c035f684d..cd8277ce7 100644 --- a/spacy/errors.py +++ b/spacy/errors.py @@ -542,6 +542,8 @@ class Errors(metaclass=ErrorsWithCodes): E202 = ("Unsupported {name} mode '{mode}'. Supported modes: {modes}.") # New errors added in v3.x + E852 = ("The tar file pulled from the remote attempted an unsafe path " + "traversal.") E853 = ("Unsupported component factory name '{name}'. The character '.' is " "not permitted in factory names.") E854 = ("Unable to set doc.ents. Check that the 'ents_filter' does not "