CVE-2007-4559 Patch (#5122)

* Adding tarfile member sanitization to extractall() * Update utils.py Co-authored-by: Hongzhi (Steve), Chen <chenhongzhi.nkcs@gmail.com>

CVE-2007-4559 Patch (#5122)
* Adding tarfile member sanitization to extractall() * Update utils.py Co-authored-by: Hongzhi (Steve), Chen <chenhongzhi.nkcs@gmail.com>
5c6af804 · TrellixVulnTeam · GitHub · f1fb859f · 5c6af804
Unverified Commit 5c6af804 authored Jan 08, 2023 by TrellixVulnTeam Committed by GitHub Jan 09, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 1 deletion

python/dgl/data/utils.py python/dgl/data/utils.py +14 -1

No files found.
--- a/python/dgl/data/utils.py
+++ b/python/dgl/data/utils.py
@@ -257,7 +257,20 @@ def extract_archive(file, target_dir, overwrite=False):
        import tarfile
        with tarfile.open(file, "r") as archive:
-            archive.extractall(path=target_dir)
+            def is_within_directory(directory, target):
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+                return prefix == abs_directory
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+                tar.extractall(path, members, numeric_owner) 
+            safe_extract(archive, path=target_dir)
    elif file.endswith(".gz"):
        import gzip
        import shutil