fix: file seek error

wrgl · Oct 31, 2022 · d373c36 · d373c36
1 parent c889452
commit d373c36
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/wrgl/repository_test.py b/wrgl/repository_test.py
@@ -47,8 +47,7 @@ def download_wrgl(version):
                 ), "https://github.com/wrgl/wrgld/releases/download/v%s/wrgld-%s-amd64.tar.gz" % (
                     version, OS
                 )]:
-            with requests.get(url, stream=True) as r:
-                tar.safe_extractall(r.raw, ver_dir)
+            tar.safe_download_extractall(url, ver_dir)
     return ver_dir / ('wrgl-%s-amd64' % OS) / 'bin' / 'wrgl', ver_dir / ('wrgld-%s-amd64' % OS) / 'bin' / 'wrgld'
 
 

diff --git a/wrgl/tar.py b/wrgl/tar.py
@@ -1,7 +1,11 @@
+import tempfile
+import io
 import os
 import tarfile
 from typing import IO
 
+import requests
+
 def is_within_directory(directory, target):
 
     abs_directory = os.path.abspath(directory)
@@ -11,11 +15,17 @@ def is_within_directory(directory, target):
 
     return prefix == abs_directory
 
-def safe_extractall(fileobj: IO[bytes], path=".", members=None, *, numeric_owner=False):
-    with tarfile.open(mode='r:gz', fileobj=fileobj) as tar:
-        for member in tar.getmembers():
-            member_path = os.path.join(path, member.name)
-            if not is_within_directory(path, member_path):
-                raise Exception("Attempted Path Traversal in Tar File")
+def safe_download_extractall(url:str, path=".", members=None, *, numeric_owner=False):
+    with tempfile.TemporaryFile() as f:
+        with requests.get(url, stream=True) as r:
+            r.raise_for_status()
+            for chunk in r.iter_content(chunk_size=4096): 
+                f.write(chunk)
+        f.seek(0)
+        with tarfile.open(mode='r:gz', fileobj=f) as tar:
+            for member in tar.getmembers():
+                member_path = os.path.join(path, member.name)
+                if not is_within_directory(path, member_path):
+                    raise Exception("Attempted Path Traversal in Tar File")
 
-        tar.extractall(path, members, numeric_owner=numeric_owner) 
+            tar.extractall(path, members, numeric_owner=numeric_owner)