From eeafbd48fa7f774f8d80843c1d745fd79d3dba25 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Mon, 3 Oct 2022 04:25:49 +0000 Subject: [PATCH 1/2] Adding tarfile member sanitization to extractall() --- .../media_sequence/kinetics_dataset.py | 42 ++++++++++++++++++- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py b/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py index eafe18f..4df4304 100644 --- a/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py +++ b/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py @@ -341,12 +341,50 @@ def _download_data(self, download_labels_for_map): if not tf.io.gfile.exists(tar_path): urlretrieve(ANNOTATION_URL, tar_path) with tarfile.open(tar_path) as annotations_tar: - annotations_tar.extractall(self.path_to_data) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(annotations_tar, self.path_to_data) for split in ["train", "test", "validate"]: csv_path = os.path.join(self.path_to_data, "kinetics700/%s.csv" % split) if not tf.io.gfile.exists(csv_path): with tarfile.open(tar_path) as annotations_tar: - annotations_tar.extractall(self.path_to_data) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(annotations_tar, self.path_to_data) paths[split] = csv_path for split, contents in SPLITS.items(): if "csv" in contents and contents["csv"]: From 98a6ad6518ef2e07f4836550c10108bd6617cb3f Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Tue, 4 Oct 2022 23:27:06 +0000 Subject: [PATCH 2/2] Adding numeric_owner as keyword arguement --- mediapipe/examples/desktop/media_sequence/kinetics_dataset.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py b/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py index 4df4304..71543d5 100644 --- a/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py +++ b/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py @@ -357,7 +357,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(annotations_tar, self.path_to_data) @@ -381,7 +381,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(annotations_tar, self.path_to_data)