From 317a6a763793808082667df9d6c9ac446bb99bea Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Sat, 17 Dec 2022 20:10:32 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- python/mozbuild/mozbuild/repackaging/dmg.py | 21 ++++++++++++++++++- .../web-platform/tests/tools/wpt/browser.py | 21 ++++++++++++++++++- .../tests/integration/test_install_twists.py | 21 ++++++++++++++++++- 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/python/mozbuild/mozbuild/repackaging/dmg.py b/python/mozbuild/mozbuild/repackaging/dmg.py index 9868e85697b1..aa9907cc5ea2 100644 --- a/python/mozbuild/mozbuild/repackaging/dmg.py +++ b/python/mozbuild/mozbuild/repackaging/dmg.py @@ -19,7 +19,26 @@ def repackage_dmg(infile, output): tmpdir = tempfile.mkdtemp() try: with tarfile.open(infile) as tar: - tar.extractall(path=tmpdir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=tmpdir) # Remove the /Applications symlink. If we don't, an rsync command in # create_dmg() will break, and create_dmg() re-creates the symlink anyway. diff --git a/testing/web-platform/tests/tools/wpt/browser.py b/testing/web-platform/tests/tools/wpt/browser.py index f5bc7c0af026..65e89e0fca3b 100644 --- a/testing/web-platform/tests/tools/wpt/browser.py +++ b/testing/web-platform/tests/tools/wpt/browser.py @@ -360,7 +360,26 @@ def install_geckodriver_nightly(self, dest): return # Remove bin/ from the path. member.name = os.path.basename(member.name) - f.extractall(members=[member], path=dest) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, members=[member], path=dest) path = os.path.join(dest, member.name) self.logger.info("Extracted geckodriver to %s" % path) finally: diff --git a/third_party/python/pipenv/tests/integration/test_install_twists.py b/third_party/python/pipenv/tests/integration/test_install_twists.py index b4b78632c6b0..ee8cf1cf6d7a 100644 --- a/third_party/python/pipenv/tests/integration/test_install_twists.py +++ b/third_party/python/pipenv/tests/integration/test_install_twists.py @@ -163,7 +163,26 @@ def test_local_package(PipenvInstance, pip_src_dir, pypi, testsroot): shutil.copy(source_path, copy_to) import tarfile with tarfile.open(copy_to, 'r:gz') as tgz: - tgz.extractall(path=p.path) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tgz, path=p.path) c = p.pipenv('install -e {0}'.format(package)) assert c.return_code == 0 assert all(pkg in p.lockfile['default'] for pkg in ['xlrd', 'xlwt', 'pyyaml', 'odfpy'])