hummingbird
/
fastNLP
Not watched
2
0
Fork 0
Code
Releases 13 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
Browse Source

Adding tarfile member sanitization to extractall() (#424) 

Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com>
dev0.8.0^2
TrellixVulnTeam GitHub 1 year ago
parent
5aea874125
commit
1af9d842c0
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 1 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +20
    -1
      fastNLP/io/file_utils.py

+ 20
- 1
fastNLP/io/file_utils.py View File

@@ -471,7 +471,26 @@ def untar_gz_file(file: Path, to: Path):
import tarfile import tarfile


with tarfile.open(file, 'r:gz') as tar: with tarfile.open(file, 'r:gz') as tar:
tar.extractall(to)
def is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
prefix = os.path.commonprefix([abs_directory, abs_target])
return prefix == abs_directory
def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")
tar.extractall(path, members, numeric_owner=numeric_owner)
safe_extract(tar, to)




def ungzip_file(file: str, to: str, filename: str): def ungzip_file(file: str, to: str, filename: str):


Write Preview
Loading…
Cancel
Save