Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add safe extraction of nemo tar files #8976

Merged
merged 6 commits into from
May 2, 2024
Merged

Add safe extraction of nemo tar files #8976

merged 6 commits into from
May 2, 2024

Conversation

athitten
Copy link
Collaborator

@athitten athitten commented Apr 18, 2024
edited
Loading

What does this PR do ?

Enables safe extraction of nemo tar files in the SaveRestoreConnector class. To avoid security risks of arbitraty file writes via maliciously crafted paths in the tar file, the safe extraction checks:

  1. The member paths within tar archive do not contain any absolute paths or path traversal components (like ../..)
  2. The member files are extracted to the intended directory.

Collection: [Note which collection this PR will affect]

Changelog

  • Add specific line by line info of high level changes in this PR.

Usage

  • You can potentially add a usage example below
# Add a code snippet demonstrating how to use this

Jenkins CI

To run Jenkins, a NeMo User with write access must comment jenkins on the PR.

Before your PR is "Ready for review"

Pre checks:

  • Make sure you read and followed Contributor guidelines
  • Did you write any new necessary tests?
  • Did you add or update any necessary documentation?
  • Does the PR affect components that are optional to install? (Ex: Numba, Pynini, Apex etc)
    • Reviewer: Does the PR have correct import guards for all optional libraries?

PR Type:

  • New Feature
  • Bugfix
  • Documentation

If you haven't finished some of the above items you can still open "Draft" PR.

Who can review?

Anyone in the community is free to review the PR once the checks have passed.
Contributor guidelines contains specific people who can review PRs to various areas.

Additional Information

  • Related to # (issue)

@github-actions github-actions bot added the core Changes to NeMo Core label Apr 18, 2024
@athitten
Copy link
Collaborator Author

jenkins

@athitten
Add safe extraction of nemo tar files
d037ea7 
Signed-off-by: Abhishree <abhishreetm@gmail.com>
@athitten
Fix bugs
6b34109 
Signed-off-by: Abhishree <abhishreetm@gmail.com>
@athitten
Copy link
Collaborator Author

jenkins

@athitten athitten marked this pull request as ready for review April 26, 2024 18:17
ericharper
ericharper reviewed May 1, 2024
View reviewed changes
nemo/core/connectors/save_restore_connector.py Outdated
if SaveRestoreConnector._is_safe_path(member, extract_to):
tar.extract(member, extract_to)
else:
print(f"Skipping potentially unsafe member: {member.name}")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you update this to logging ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@athitten
Replace print with logging
3163f48 
Signed-off-by: Abhishree Thittenamane <47577437+athitten@users.noreply.github.com>
titu1994
titu1994 approved these changes May 2, 2024
View reviewed changes
Copy link
Collaborator

@titu1994 titu1994 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice !

ericharper
ericharper approved these changes May 2, 2024
View reviewed changes
Copy link
Collaborator

@ericharper ericharper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@athitten athitten merged commit f15e897 into main May 2, 2024
133 checks passed
@athitten athitten deleted the athitten/safe_extraction branch May 2, 2024 16:48
rohitrango pushed a commit to rohitrango/NeMo that referenced this pull request Jun 25, 2024
@athitten @ericharper @pablo-garay
Add safe extraction of nemo tar files (NVIDIA#8976)
76b5a1c 
* Add safe extraction of nemo tar files

Signed-off-by: Abhishree <abhishreetm@gmail.com>

* Fix bugs

Signed-off-by: Abhishree <abhishreetm@gmail.com>

* Replace print with logging

Signed-off-by: Abhishree Thittenamane <47577437+athitten@users.noreply.github.com>

---------

Signed-off-by: Abhishree <abhishreetm@gmail.com>
Signed-off-by: Abhishree Thittenamane <47577437+athitten@users.noreply.github.com>
Co-authored-by: Eric Harper <complex451@gmail.com>
Co-authored-by: Pablo Garay <palenq@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@titu1994 titu1994 titu1994 approved these changes

@ericharper ericharper ericharper approved these changes

Assignees
No one assigned
Labels
core Changes to NeMo Core Run CICD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@athitten @titu1994 @ericharper @pablo-garay