From 8bec6d921bf861f432d10a3ff27298f9dc358db0 Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Mon, 19 Dec 2022 07:21:30 +0000
Subject: [PATCH] Adding tarfile member sanitization to extractall()

---
 cwldep/__init__.py | 42 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/cwldep/__init__.py b/cwldep/__init__.py
index 3279622..7b9823f 100644
--- a/cwldep/__init__.py
+++ b/cwldep/__init__.py
@@ -164,10 +164,48 @@ def do_deps(req):
                 download(tgt, upstream, "", locks, verified, operation=="check")
                 if spup.path.endswith(".tar.gz"):
                     with tarfile.open(tgt) as t:
-                        t.extractall(installTo)
+                        def is_within_directory(directory, target):
+                            
+                            abs_directory = os.path.abspath(directory)
+                            abs_target = os.path.abspath(target)
+                        
+                            prefix = os.path.commonprefix([abs_directory, abs_target])
+                            
+                            return prefix == abs_directory
+                        
+                        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                        
+                            for member in tar.getmembers():
+                                member_path = os.path.join(path, member.name)
+                                if not is_within_directory(path, member_path):
+                                    raise Exception("Attempted Path Traversal in Tar File")
+                        
+                            tar.extractall(path, members, numeric_owner=numeric_owner) 
+                            
+                        
+                        safe_extract(t, installTo)
                 elif spup.path.endswith(".tar.bz2"):
                     with tarfile.open(tgt) as t:
-                        t.extractall(installTo)
+                        def is_within_directory(directory, target):
+                            
+                            abs_directory = os.path.abspath(directory)
+                            abs_target = os.path.abspath(target)
+                        
+                            prefix = os.path.commonprefix([abs_directory, abs_target])
+                            
+                            return prefix == abs_directory
+                        
+                        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                        
+                            for member in tar.getmembers():
+                                member_path = os.path.join(path, member.name)
+                                if not is_within_directory(path, member_path):
+                                    raise Exception("Attempted Path Traversal in Tar File")
+                        
+                            tar.extractall(path, members, numeric_owner=numeric_owner) 
+                            
+                        
+                        safe_extract(t, installTo)
                 elif spup.path.endswith(".zip"):
                     with zipfile.ZipFile(tgt) as z:
                         z.extractall(installTo)