From d17903d4e9f404593ffc1bdb7b4e710baae54662 Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <112716341+TrellixVulnTeam@users.noreply.github.com>
Date: Thu, 27 Oct 2022 06:56:05 -0500
Subject: [PATCH] Adding tarfile member sanitization to extractall() (#803)

---
 clearml/storage/manager.py | 42 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/clearml/storage/manager.py b/clearml/storage/manager.py
index 029c5c70..5e7b0828 100644
--- a/clearml/storage/manager.py
+++ b/clearml/storage/manager.py
@@ -165,10 +165,48 @@ class StorageManager(object):
                 ZipFile(cached_file.as_posix()).extractall(path=temp_target_folder.as_posix())
             elif suffix == ".tar.gz":
                 with tarfile.open(cached_file.as_posix()) as file:
-                    file.extractall(temp_target_folder.as_posix())
+                    def is_within_directory(directory, target):
+                        
+                        abs_directory = os.path.abspath(directory)
+                        abs_target = os.path.abspath(target)
+                    
+                        prefix = os.path.commonprefix([abs_directory, abs_target])
+                        
+                        return prefix == abs_directory
+                    
+                    def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                    
+                        for member in tar.getmembers():
+                            member_path = os.path.join(path, member.name)
+                            if not is_within_directory(path, member_path):
+                                raise Exception("Attempted Path Traversal in Tar File")
+                    
+                        tar.extractall(path, members, numeric_owner=numeric_owner) 
+                        
+                    
+                    safe_extract(file, temp_target_folder.as_posix())
             elif suffix == ".tgz":
                 with tarfile.open(cached_file.as_posix(), mode='r:gz') as file:
-                    file.extractall(temp_target_folder.as_posix())
+                    def is_within_directory(directory, target):
+                        
+                        abs_directory = os.path.abspath(directory)
+                        abs_target = os.path.abspath(target)
+                    
+                        prefix = os.path.commonprefix([abs_directory, abs_target])
+                        
+                        return prefix == abs_directory
+                    
+                    def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                    
+                        for member in tar.getmembers():
+                            member_path = os.path.join(path, member.name)
+                            if not is_within_directory(path, member_path):
+                                raise Exception("Attempted Path Traversal in Tar File")
+                    
+                        tar.extractall(path, members, numeric_owner=numeric_owner) 
+                        
+                    
+                    safe_extract(file, temp_target_folder.as_posix())
 
             if temp_target_folder != target_folder:
                 # we assume we will have such folder if we already extract the file