Adding tarfile member sanitization to extractall() (#1355)

nyu-mll · Oct 16, 2022 · 132f07f · 132f07f
1 parent e6d9062
commit 132f07f
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/jiant/scripts/download_data/utils.py b/jiant/scripts/download_data/utils.py
@@ -91,7 +91,26 @@ def download_and_untar(url, extract_location):
 def untar_file(tar_path, extract_location, delete=False):
     """Untars a file, optionally deleting after"""
     with tarfile.open(tar_path) as tar:
-        tar.extractall(path=extract_location)
+        def is_within_directory(directory, target):
+
+            abs_directory = os.path.abspath(directory)
+            abs_target = os.path.abspath(target)
+
+            prefix = os.path.commonprefix([abs_directory, abs_target])
+
+            return prefix == abs_directory
+
+        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+            for member in tar.getmembers():
+                member_path = os.path.join(path, member.name)
+                if not is_within_directory(path, member_path):
+                    raise Exception("Attempted Path Traversal in Tar File")
+
+            tar.extractall(path, members, numeric_owner=numeric_owner) 
+
+
+        safe_extract(tar, path=extract_location)
     if delete:
         os.remove(tar_path)