From 93b824db91fb69e01ec483a53f7cb0718a3a4694 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Mon, 10 Oct 2022 10:30:54 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- scripts/prepare_imagenet.py | 42 +++++++++++++++++++++++++++++++++++-- scripts/prepare_minc.py | 21 ++++++++++++++++++- scripts/prepare_pascal.py | 42 +++++++++++++++++++++++++++++++++++-- scripts/prepare_pcontext.py | 21 ++++++++++++++++++- 4 files changed, 120 insertions(+), 6 deletions(-) diff --git a/scripts/prepare_imagenet.py b/scripts/prepare_imagenet.py index 904fdf2..1ad08b9 100644 --- a/scripts/prepare_imagenet.py +++ b/scripts/prepare_imagenet.py @@ -51,7 +51,26 @@ def extract_train(tar_fname, target_dir, with_rec=False, num_thread=1): class_dir = os.path.splitext(class_fname)[0] os.mkdir(class_dir) with tarfile.open(class_fname) as f: - f.extractall(class_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, class_dir) os.remove(class_fname) pbar.update(1) pbar.close() @@ -60,7 +79,26 @@ def extract_val(tar_fname, target_dir, with_rec=False, num_thread=1): mkdir(target_dir) print('Extracting ' + tar_fname) with tarfile.open(tar_fname) as tar: - tar.extractall(target_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, target_dir) # build rec file before images are moved into subfolders # move images to proper subfolders subprocess.call(["wget -qO- https://raw.githubusercontent.com/soumith/imagenetloader.torch/master/valprep.sh | bash"], diff --git a/scripts/prepare_minc.py b/scripts/prepare_minc.py index fc37d91..6523df1 100644 --- a/scripts/prepare_minc.py +++ b/scripts/prepare_minc.py @@ -27,7 +27,26 @@ def download_minc(path, overwrite=False): filename = download(url, path=download_dir, overwrite=overwrite, sha1_hash=checksum) # extract with tarfile.open(filename) as tar: - tar.extractall(path=path) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=path) if __name__ == '__main__': args = parse_args() diff --git a/scripts/prepare_pascal.py b/scripts/prepare_pascal.py index 9f8bece..82ec3d8 100644 --- a/scripts/prepare_pascal.py +++ b/scripts/prepare_pascal.py @@ -30,7 +30,26 @@ def download_voc(path, overwrite=False): filename = download(url, path=download_dir, overwrite=overwrite, sha1_hash=checksum) # extract with tarfile.open(filename) as tar: - tar.extractall(path=path) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=path) def download_aug(path, overwrite=False): @@ -42,7 +61,26 @@ def download_aug(path, overwrite=False): filename = download(url, path=download_dir, overwrite=overwrite, sha1_hash=checksum) # extract with tarfile.open(filename) as tar: - tar.extractall(path=path) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=path) shutil.move(os.path.join(path, 'benchmark_RELEASE'), os.path.join(path, 'VOCaug')) filenames = ['VOCaug/dataset/train.txt', 'VOCaug/dataset/val.txt'] diff --git a/scripts/prepare_pcontext.py b/scripts/prepare_pcontext.py index 9341a5d..90c405e 100644 --- a/scripts/prepare_pcontext.py +++ b/scripts/prepare_pcontext.py @@ -35,7 +35,26 @@ def download_ade(path, overwrite=False): # extract if os.path.splitext(filename)[1] == '.tar': with tarfile.open(filename) as tar: - tar.extractall(path=path) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=path) else: shutil.move(filename, os.path.join(path, 'VOCdevkit/VOC2010/'+os.path.basename(filename)))