diff --git a/support/test/test.py b/support/test/test.py index 592b700..ce7d635 100755 --- a/support/test/test.py +++ b/support/test/test.py @@ -41,7 +41,26 @@ def test_analysis_on_precomputed(self): # Get and extract precomputed results with urllib.request.urlopen(RESULTS) as fh: with tarfile.open(fileobj=fh, mode='r:gz') as tf: - tf.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf) for subdir in os.listdir('results/output'): shutil.move('results/output/%s' % subdir, '../modeling/output/') @@ -66,7 +85,26 @@ def test_accuracy_of_precomputed_analysis(self): # Get and extract precomputed analysis with urllib.request.urlopen(ANALYSIS) as fh: with tarfile.open(fileobj=fh, mode='r:gz') as tf: - tf.extractall() + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tf) subprocess.check_call(["python", 'accuracy.py'])