CVE-2007-4559 Patch (#64)

* Create sonar-project.properties * Create sonarqube-build.yml * Update sonarqube-build.yml * Removed duplicates (#62) * Adding tarfile member sanitization to extractall() Co-authored-by: Vinujaaa <[email protected]> Co-authored-by: Kishan Savant <[email protected]>
NimbleBoxAI · Nov 21, 2022 · 490ceed · 490ceed
1 parent 32c5e5e
commit 490ceed
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 8 deletions.
diff --git a/.github/workflows/sonarqube-build.yml b/.github/workflows/sonarqube-build.yml
@@ -0,0 +1,23 @@
+name: Run SonarQube
+on:
+ push:
+ branches:
+ - master # or the name of your main branch
+jobs:
+ build:
+ name: Run SonarQube
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ fetch-depth: 0
+ - uses: sonarsource/sonarqube-scan-action@master
+ env:
+ SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+ # If you wish to fail your job when the Quality Gate is red, uncomment the
+ # following lines. This would typically be used to fail a deployment.
+ # - uses: sonarsource/sonarqube-quality-gate-action@master
+ # timeout-minutes: 5
+ # env:
+ # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/README.md b/README.md
@@ -116,13 +116,6 @@ Join our [discord](https://discord.gg/qYZHxMaCsE) and someone from our community
 ## 🔖Read our [Blog](https://nimblebox.ai/blog).
 
 
-# How to get help?
-
-Join our [discord](https://discord.gg/qYZHxMaCsE) and someone from our community or engineering team will respond!
-
-## 🔖Read our [Blog](https://nimblebox.ai/blog).
-
-
 # 🧩 License
 
 The code in thist repo is licensed as [Apache License 2.0](./LICENSE). Please check for individual repositories for licenses.
diff --git a/assets/server.py b/assets/server.py
@@ -25,7 +25,26 @@
 
 with tarfile.open(fpath, "r:gz") as tar:
  folder = os.path.join(gettempdir(), os.path.basename(fpath).replace(".nbox", ""))
- tar.extractall(folder)
+ def is_within_directory(directory, target):
+
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+ prefix = os.path.commonprefix([abs_directory, abs_target])
+
+ return prefix == abs_directory
+
+ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+ for member in tar.getmembers():
+ member_path = os.path.join(path, member.name)
+ if not is_within_directory(path, member_path):
+ raise Exception("Attempted Path Traversal in Tar File")
+
+ tar.extractall(path, members, numeric_owner=numeric_owner) 
+
+
+ safe_extract(tar, folder)
 
 if os.environ.get("NBOX_INSTALL_DEP", False):
  subprocess.run(["pip", "install", "-r", os.path.join(folder, "requirements.txt")])

diff --git a/sonar-project.properties b/sonar-project.properties
@@ -0,0 +1 @@
+sonar.projectKey=NimbleBoxAI_nbox