This is an automated email from the ASF dual-hosted git repository.
nicknezis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-heron.git
The following commit(s) were added to refs/heads/master by this push:
new 9dc50c33544 Validate destination path before untar (#3857)
9dc50c33544 is described below
commit 9dc50c33544be3f0089a68a42e3b990f5b76400e
Author: Huijun Wu <[email protected]>
AuthorDate: Mon Jan 9 04:14:42 2023 -0800
Validate destination path before untar (#3857)
Co-authored-by: Huijun Wu <[email protected]>
Co-authored-by: Nicholas Nezis <[email protected]>
---
heron/tools/cli/src/python/execute.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/heron/tools/cli/src/python/execute.py
b/heron/tools/cli/src/python/execute.py
index f71b0e90747..33480266313 100644
--- a/heron/tools/cli/src/python/execute.py
+++ b/heron/tools/cli/src/python/execute.py
@@ -101,8 +101,17 @@ def heron_tar(class_name, topology_tar, arguments,
tmpdir_root, java_defines):
'''
# Extract tar to a tmp folder.
tmpdir = tempfile.mkdtemp(dir=tmpdir_root, prefix='tmp')
+ tmpdir_abs = os.path.abspath(tmpdir)
with contextlib.closing(tarfile.open(topology_tar)) as tar:
+ # Validate file paths to protect against this:
+ # https://security.snyk.io/research/zip-slip-vulnerability
+ for name in tar.getnames():
+ untarpath_abs = os.path.abspath(os.path.join(tmpdir, name))
+ if not untarpath_abs.startswith(tmpdir_abs):
+ raise Exception("tar attempted to extract a file " \
+ f"outside the destination dir: {untarpath_abs}:{name}")
+
tar.extractall(path=tmpdir)
# A tar generated by pants has all dependency jars under libs/
