Skip to content
Permalink
Browse files Browse the repository at this point in the history
Use safe extract to prevent CVE-2007-4559 bug
  • Loading branch information
ZoranPandovski committed Feb 16, 2023
1 parent e83cdc5 commit 4419b0f
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
4 changes: 2 additions & 2 deletions mindsdb/api/http/namespaces/file.py
Expand Up @@ -9,7 +9,7 @@
import requests

from mindsdb.utilities import log
from mindsdb.api.http.utils import http_error
from mindsdb.api.http.utils import http_error, safe_extract
from mindsdb.api.http.namespaces.configs.files import ns_conf
from mindsdb.utilities.config import Config
from mindsdb.utilities.context import context as ctx
Expand Down Expand Up @@ -134,7 +134,7 @@ def on_file(file):
f.extractall(temp_dir_path)
elif lp.endswith('.tar.gz'):
with tarfile.open(file_path) as f:
f.extractall(temp_dir_path)
safe_extract(f, temp_dir_path)
os.remove(file_path)
files = os.listdir(temp_dir_path)
if len(files) != 1:
Expand Down
15 changes: 15 additions & 0 deletions mindsdb/api/http/utils.py
@@ -1,4 +1,5 @@
import json
import os

from flask import Response

Expand All @@ -22,3 +23,17 @@ def http_error(status_code, title, detail=''):
'Content-Type': 'application/problem+json'
}
)

def __is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
prefix = os.path.commonprefix([abs_directory, abs_target])
return prefix == abs_directory

def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not __is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")
tar.extractall(path, members, numeric_owner)

0 comments on commit 4419b0f

Please sign in to comment.