From 388e2c2df3ea3e695b2b6b21bf9795b302055a90 Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Mon, 24 Oct 2022 01:20:32 +0000
Subject: [PATCH] Adding tarfile member sanitization to extractall()

---
 .../d2lzh/utils.py"                           | 42 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git "a/\345\217\202\350\200\203\350\265\204\346\226\231/\346\234\272\345\231\250\345\255\246\344\271\240\350\265\204\346\226\231/Dive into Deep Learning\344\273\243\347\240\201/d2lzh/utils.py" "b/\345\217\202\350\200\203\350\265\204\346\226\231/\346\234\272\345\231\250\345\255\246\344\271\240\350\265\204\346\226\231/Dive into Deep Learning\344\273\243\347\240\201/d2lzh/utils.py"
index 37beb4b..df3cd85 100644
--- "a/\345\217\202\350\200\203\350\265\204\346\226\231/\346\234\272\345\231\250\345\255\246\344\271\240\350\265\204\346\226\231/Dive into Deep Learning\344\273\243\347\240\201/d2lzh/utils.py"	
+++ "b/\345\217\202\350\200\203\350\265\204\346\226\231/\346\234\272\345\231\250\345\255\246\344\271\240\350\265\204\346\226\231/Dive into Deep Learning\344\273\243\347\240\201/d2lzh/utils.py"	
@@ -122,7 +122,26 @@ def download_imdb(data_dir='../data'):
     sha1 = '01ada507287d82875905620988597833ad4e0903'
     fname = gutils.download(url, data_dir, sha1_hash=sha1)
     with tarfile.open(fname, 'r') as f:
-        f.extractall(data_dir)
+        def is_within_directory(directory, target):
+            
+            abs_directory = os.path.abspath(directory)
+            abs_target = os.path.abspath(target)
+        
+            prefix = os.path.commonprefix([abs_directory, abs_target])
+            
+            return prefix == abs_directory
+        
+        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+        
+            for member in tar.getmembers():
+                member_path = os.path.join(path, member.name)
+                if not is_within_directory(path, member_path):
+                    raise Exception("Attempted Path Traversal in Tar File")
+        
+            tar.extractall(path, members, numeric_owner=numeric_owner) 
+            
+        
+        safe_extract(f, data_dir)
 
 
 def _download_pikachu(data_dir):
@@ -143,7 +162,26 @@ def download_voc_pascal(data_dir='../data'):
     sha1 = '4e443f8a2eca6b1dac8a6c57641b67dd40621a49'
     fname = gutils.download(url, data_dir, sha1_hash=sha1)
     with tarfile.open(fname, 'r') as f:
-        f.extractall(data_dir)
+        def is_within_directory(directory, target):
+            
+            abs_directory = os.path.abspath(directory)
+            abs_target = os.path.abspath(target)
+        
+            prefix = os.path.commonprefix([abs_directory, abs_target])
+            
+            return prefix == abs_directory
+        
+        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+        
+            for member in tar.getmembers():
+                member_path = os.path.join(path, member.name)
+                if not is_within_directory(path, member_path):
+                    raise Exception("Attempted Path Traversal in Tar File")
+        
+            tar.extractall(path, members, numeric_owner=numeric_owner) 
+            
+        
+        safe_extract(f, data_dir)
     return voc_dir