diff --git a/server/bin/server.py b/server/bin/server.py index 3d52210..46251d8 100644 --- a/server/bin/server.py +++ b/server/bin/server.py @@ -39,7 +39,26 @@ def convert(): # Decompress uploaded data. with tarfile.open(uploaded_data_path) as tarball: tarball_dirname = os.path.join(UPLOAD_FOLDER, job_uuid) - tarball.extractall(tarball_dirname) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tarball, tarball_dirname) # Build TIMSCONVERT command. run_path = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))), 'run.py') diff --git a/server/views.py b/server/views.py index e8b5849..ef48247 100644 --- a/server/views.py +++ b/server/views.py @@ -30,7 +30,26 @@ def convert(): # Decompress uploaded data. with tarfile.open(uploaded_data_path) as tarball: - tarball.extractall(temp_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tarball, temp_dir) # Build TIMSCONVERT command. run_script = "/app/timsconvert/bin/run.py"