From 826fa75f07b399044594914e616900006292d2c6 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Wed, 5 Oct 2022 04:52:47 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- src/webdrivermanager/base.py | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/webdrivermanager/base.py b/src/webdrivermanager/base.py index 7a18df7..1e8f31b 100644 --- a/src/webdrivermanager/base.py +++ b/src/webdrivermanager/base.py @@ -315,7 +315,26 @@ def download_and_install(self, version="latest", show_progress_bar=True): archive_file = dl_path / filename if archive_type == 1: with tarfile.open(archive_file, mode="r:*") as tar: - tar.extractall(extract_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, extract_dir) LOGGER.debug("Extracted files: %s", ", ".join(tar.getnames())) elif archive_type == 2: with zipfile.ZipFile(archive_file, mode="r") as driver_zipfile: