Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2007-4559 Patch #30

Merged
merged 1 commit into from
Feb 2, 2023
Merged

CVE-2007-4559 Patch #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Adding tarfile member sanitization to extractall()
  • Loading branch information
@TrellixVulnTeam
TrellixVulnTeam committed Oct 24, 2022
commit 0d391a8ad548f09242067cd3cb89460e609b665a
21 changes: 20 additions & 1 deletion ml-model/scripts/detection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,26 @@ def download_pretrained_model(filepaths):
# open and extract tarfile
tar_filepath = "/tf/models/research/deploy/" + filepaths["pretrained_checkpoint"]
with tarfile.open(tar_filepath) as tar:
tar.extractall(path="/tf/models/research/deploy/")
def is_within_directory(directory, target):

abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)

prefix = os.path.commonprefix([abs_directory, abs_target])

return prefix == abs_directory

def safe_extract(tar, path=".", members=None, *, numeric_owner=False):

for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")

tar.extractall(path, members, numeric_owner=numeric_owner)


safe_extract(tar, path="/tf/models/research/deploy/")

logging.info("Finished downloading pretrained model.")

Expand Down