Fix path traversal vulnerability

jupyter_archive/handlers.py

@@ -229,6 +229,18 @@ def extract_archive(self, archive_path):
         self.log.info("Begin extraction of {} to {}.".format(archive_path, archive_destination))
 
         archive_reader = make_reader(archive_path)
+
+        if isinstance(archive_reader, tarfile.TarFile):
+            # Check file path to avoid path traversal
+            # See https://nvd.nist.gov/vuln/detail/CVE-2007-4559
+            with archive_reader as archive:
+                for name in archive_reader.getnames():
+                    if os.path.relpath(archive_destination / name, archive_destination).startswith(os.pardir):
+                        self.log.error(f"The archive file includes an unsafe file: {name}")
+                        raise web.HTTPError(400)
+            # Re-open stream
+            archive_reader = make_reader(archive_path)
+
         with archive_reader as archive:
             archive.extractall(archive_destination)
 

jupyter_archive/tests/test_archive_handler.py

@@ -207,3 +207,23 @@ async def test_extract_failure(jp_fetch, jp_root_dir, format, mode):
         await jp_fetch("extract-archive", archive_path.relative_to(jp_root_dir).as_posix(), method="GET")
     assert e.type == HTTPClientError
     assert not archive_dir_path.exists()
+
+
+@pytest.mark.parametrize(
+    "file_path",
+    [
+        ("../../../../../../../../../../tmp/test"),
+        ("../test"),
+    ],
+)
+async def test_extract_path_traversal(jp_fetch, jp_root_dir, file_path):
+    unsafe_file_path = jp_root_dir / "test"
+    archive_path = jp_root_dir / "test.tar.gz"
+    open(unsafe_file_path, 'a').close()
+    with tarfile.open(archive_path, "w:gz") as tf:
+        tf.add(unsafe_file_path, file_path)
+
+    with pytest.raises(Exception) as e:
+        await jp_fetch("extract-archive", archive_path.relative_to(jp_root_dir).as_posix(), method="GET")
+    assert e.type == HTTPClientError
+    assert e.value.code == 400