From 5b640c699d06487211557460f4fc181b0313f650 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Sat, 1 Oct 2022 10:28:51 +0000 Subject: [PATCH 1/2] Adding tarfile member sanitization to extractall() --- WEB(FE)/node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/WEB(FE)/node_modules/node-gyp/update-gyp.py b/WEB(FE)/node_modules/node-gyp/update-gyp.py index aa2bcb9e..9962aa02 100644 --- a/WEB(FE)/node_modules/node-gyp/update-gyp.py +++ b/WEB(FE)/node_modules/node-gyp/update-gyp.py @@ -34,7 +34,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): From 3175264785892328bf70cd250c6abc36b437929a Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Tue, 4 Oct 2022 04:19:06 +0000 Subject: [PATCH 2/2] Adding numeric_owner as keyword arguement --- WEB(FE)/node_modules/node-gyp/update-gyp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WEB(FE)/node_modules/node-gyp/update-gyp.py b/WEB(FE)/node_modules/node-gyp/update-gyp.py index 9962aa02..dd657c00 100644 --- a/WEB(FE)/node_modules/node-gyp/update-gyp.py +++ b/WEB(FE)/node_modules/node-gyp/update-gyp.py @@ -50,7 +50,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar_ref, unzip_target)