-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add safe extraction of nemo tar files #8976
Conversation
jenkins |
Signed-off-by: Abhishree <abhishreetm@gmail.com>
de2d0b6
to
6b34109
Compare
jenkins |
if SaveRestoreConnector._is_safe_path(member, extract_to): | ||
tar.extract(member, extract_to) | ||
else: | ||
print(f"Skipping potentially unsafe member: {member.name}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you update this to logging ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Signed-off-by: Abhishree Thittenamane <47577437+athitten@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks!
* Add safe extraction of nemo tar files Signed-off-by: Abhishree <abhishreetm@gmail.com> * Fix bugs Signed-off-by: Abhishree <abhishreetm@gmail.com> * Replace print with logging Signed-off-by: Abhishree Thittenamane <47577437+athitten@users.noreply.github.com> --------- Signed-off-by: Abhishree <abhishreetm@gmail.com> Signed-off-by: Abhishree Thittenamane <47577437+athitten@users.noreply.github.com> Co-authored-by: Eric Harper <complex451@gmail.com> Co-authored-by: Pablo Garay <palenq@gmail.com>
What does this PR do ?
Enables safe extraction of nemo tar files in the SaveRestoreConnector class. To avoid security risks of arbitraty file writes via maliciously crafted paths in the tar file, the safe extraction checks:
Collection: [Note which collection this PR will affect]
Changelog
Usage
# Add a code snippet demonstrating how to use this
Jenkins CI
To run Jenkins, a NeMo User with write access must comment
jenkins
on the PR.Before your PR is "Ready for review"
Pre checks:
PR Type:
If you haven't finished some of the above items you can still open "Draft" PR.
Who can review?
Anyone in the community is free to review the PR once the checks have passed.
Contributor guidelines contains specific people who can review PRs to various areas.
Additional Information