From 83b16e71e89a970d41f0deae1967e64cd557bc7f Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Thu, 3 Nov 2022 09:09:30 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- .../boringssl/src/util/bot/go/bootstrap.py | 21 ++++++++++++++++++- .../extras/symbolizer/symbolize_trace.py | 21 ++++++++++++++++++- .../download_from_google_storage.py | 21 ++++++++++++++++++- .../gitiles/resources/gerrit_client.py | 21 ++++++++++++++++++- 4 files changed, 80 insertions(+), 4 deletions(-) diff --git a/src/third_party/boringssl/src/util/bot/go/bootstrap.py b/src/third_party/boringssl/src/util/bot/go/bootstrap.py index 61b9d4347e..e86869a042 100755 --- a/src/third_party/boringssl/src/util/bot/go/bootstrap.py +++ b/src/third_party/boringssl/src/util/bot/go/bootstrap.py @@ -132,7 +132,26 @@ def install_toolset(toolset_root, url): f.extractall(toolset_root) elif pkg_path.endswith('.tar.gz'): with tarfile.open(pkg_path, 'r:gz') as f: - f.extractall(toolset_root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(f, toolset_root) else: raise Failure('Unrecognized archive format') diff --git a/src/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py b/src/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py index 26b1e0bbdb..4c28fe2c8f 100755 --- a/src/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py +++ b/src/third_party/catapult/tracing/tracing/extras/symbolizer/symbolize_trace.py @@ -1663,7 +1663,26 @@ def GetSymbolsPath(version): def ExtractSymbolTarFile(symbol_sub_dir, symbol_tar_file): os.makedirs(symbol_sub_dir) with tarfile.open(os.path.expanduser(symbol_tar_file), "r:bz2") as tar: - tar.extractall(symbol_sub_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, symbol_sub_dir) symbol_sub_dir = os.path.join(symbol_base_directory, version) if os.path.isdir(symbol_sub_dir): diff --git a/src/third_party/depot_tools/download_from_google_storage.py b/src/third_party/depot_tools/download_from_google_storage.py index 067f772aea..68a6b2c523 100755 --- a/src/third_party/depot_tools/download_from_google_storage.py +++ b/src/third_party/depot_tools/download_from_google_storage.py @@ -324,7 +324,26 @@ def _downloader_worker_thread(thread_num, q, force, base_url, out_q.put('%d> Extracting %d entries from %s to %s' % (thread_num, len(tar.getmembers()),output_filename, extract_dir)) - tar.extractall(path=dirname) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar, path=dirname) # Set executable bit. if sys.platform == 'cygwin': # Under cygwin, mark all files as executable. The executable flag in diff --git a/src/third_party/depot_tools/recipes/recipe_modules/gitiles/resources/gerrit_client.py b/src/third_party/depot_tools/recipes/recipe_modules/gitiles/resources/gerrit_client.py index 64b66e8859..dc5c9b6c52 100755 --- a/src/third_party/depot_tools/recipes/recipe_modules/gitiles/resources/gerrit_client.py +++ b/src/third_party/depot_tools/recipes/recipe_modules/gitiles/resources/gerrit_client.py @@ -177,7 +177,26 @@ def _extract_member(tarinfo, targetpath): ret['extracted']['bytes'] += tarinfo.size return em(tarinfo, targetpath) tf._extract_member = _extract_member - tf.extractall(args.extract_to) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf, args.extract_to) return ret if args.log_start: