From 8af75a771ba2521381feee6b19fa3625debc91a1 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Mon, 12 Dec 2022 13:39:44 +0000 Subject: [PATCH] Adding tarfile member sanitization to extractall() --- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- .../node_modules/node-gyp/update-gyp.py | 21 ++++++++++++++++++- 34 files changed, 680 insertions(+), 34 deletions(-) diff --git a/C11_AngularIntro/InClass_Exercises/create-multiple-components/node_modules/node-gyp/update-gyp.py b/C11_AngularIntro/InClass_Exercises/create-multiple-components/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C11_AngularIntro/InClass_Exercises/create-multiple-components/node_modules/node-gyp/update-gyp.py +++ b/C11_AngularIntro/InClass_Exercises/create-multiple-components/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C11_AngularIntro/InClass_Exercises/dynamic-content/node_modules/node-gyp/update-gyp.py b/C11_AngularIntro/InClass_Exercises/dynamic-content/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C11_AngularIntro/InClass_Exercises/dynamic-content/node_modules/node-gyp/update-gyp.py +++ b/C11_AngularIntro/InClass_Exercises/dynamic-content/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C11_AngularIntro/InClass_Exercises/generate-angular-component/node_modules/node-gyp/update-gyp.py b/C11_AngularIntro/InClass_Exercises/generate-angular-component/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C11_AngularIntro/InClass_Exercises/generate-angular-component/node_modules/node-gyp/update-gyp.py +++ b/C11_AngularIntro/InClass_Exercises/generate-angular-component/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C11_AngularIntro/InClass_Exercises/manually-create-component-style/node_modules/node-gyp/update-gyp.py b/C11_AngularIntro/InClass_Exercises/manually-create-component-style/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C11_AngularIntro/InClass_Exercises/manually-create-component-style/node_modules/node-gyp/update-gyp.py +++ b/C11_AngularIntro/InClass_Exercises/manually-create-component-style/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C11_AngularIntro/InClass_Exercises/manually-create-component/node_modules/node-gyp/update-gyp.py b/C11_AngularIntro/InClass_Exercises/manually-create-component/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C11_AngularIntro/InClass_Exercises/manually-create-component/node_modules/node-gyp/update-gyp.py +++ b/C11_AngularIntro/InClass_Exercises/manually-create-component/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C11_AngularIntro/Videos/my-first-app/node_modules/node-gyp/update-gyp.py b/C11_AngularIntro/Videos/my-first-app/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C11_AngularIntro/Videos/my-first-app/node_modules/node-gyp/update-gyp.py +++ b/C11_AngularIntro/Videos/my-first-app/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C12_AngularBasics/Videos/class-12-ang-videos/node_modules/node-gyp/update-gyp.py b/C12_AngularBasics/Videos/class-12-ang-videos/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C12_AngularBasics/Videos/class-12-ang-videos/node_modules/node-gyp/update-gyp.py +++ b/C12_AngularBasics/Videos/class-12-ang-videos/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C12_AngularBasics/inCLass/angular-basics-exercise/node_modules/node-gyp/update-gyp.py b/C12_AngularBasics/inCLass/angular-basics-exercise/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C12_AngularBasics/inCLass/angular-basics-exercise/node_modules/node-gyp/update-gyp.py +++ b/C12_AngularBasics/inCLass/angular-basics-exercise/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C12_AngularBasics/inCLass/ternary-operator-string-interpoloation/node_modules/node-gyp/update-gyp.py b/C12_AngularBasics/inCLass/ternary-operator-string-interpoloation/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C12_AngularBasics/inCLass/ternary-operator-string-interpoloation/node_modules/node-gyp/update-gyp.py +++ b/C12_AngularBasics/inCLass/ternary-operator-string-interpoloation/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/InClass_Exercises/basic-event-binding-exercise/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/InClass_Exercises/basic-event-binding-exercise/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/InClass_Exercises/basic-event-binding-exercise/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/InClass_Exercises/basic-event-binding-exercise/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/InClass_Exercises/basic-ngif-exercise6-7-8-9-10/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/InClass_Exercises/basic-ngif-exercise6-7-8-9-10/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/InClass_Exercises/basic-ngif-exercise6-7-8-9-10/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/InClass_Exercises/basic-ngif-exercise6-7-8-9-10/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/InClass_Exercises/basic-ngmodel-exercise/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/InClass_Exercises/basic-ngmodel-exercise/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/InClass_Exercises/basic-ngmodel-exercise/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/InClass_Exercises/basic-ngmodel-exercise/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/InClass_Exercises/dynamic-button-event-binding/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/InClass_Exercises/dynamic-button-event-binding/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/InClass_Exercises/dynamic-button-event-binding/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/InClass_Exercises/dynamic-button-event-binding/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/InClass_Exercises/input-event-binding-exercise/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/InClass_Exercises/input-event-binding-exercise/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/InClass_Exercises/input-event-binding-exercise/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/InClass_Exercises/input-event-binding-exercise/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/InClass_Exercises/property-binding-image-size/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/InClass_Exercises/property-binding-image-size/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/InClass_Exercises/property-binding-image-size/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/InClass_Exercises/property-binding-image-size/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C13_AngRecipeProject/recipe-project/node_modules/node-gyp/update-gyp.py b/C13_AngRecipeProject/recipe-project/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C13_AngRecipeProject/recipe-project/node_modules/node-gyp/update-gyp.py +++ b/C13_AngRecipeProject/recipe-project/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C14_ComponentDataBinding/InClass/angular-basic-custom-event/node_modules/node-gyp/update-gyp.py b/C14_ComponentDataBinding/InClass/angular-basic-custom-event/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C14_ComponentDataBinding/InClass/angular-basic-custom-event/node_modules/node-gyp/update-gyp.py +++ b/C14_ComponentDataBinding/InClass/angular-basic-custom-event/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C14_ComponentDataBinding/InClass/angular-basic-custom-property-exercise/node_modules/node-gyp/update-gyp.py b/C14_ComponentDataBinding/InClass/angular-basic-custom-property-exercise/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C14_ComponentDataBinding/InClass/angular-basic-custom-property-exercise/node_modules/node-gyp/update-gyp.py +++ b/C14_ComponentDataBinding/InClass/angular-basic-custom-property-exercise/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C14_ComponentDataBinding/InClass/angular-nested-component-input/node_modules/node-gyp/update-gyp.py b/C14_ComponentDataBinding/InClass/angular-nested-component-input/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C14_ComponentDataBinding/InClass/angular-nested-component-input/node_modules/node-gyp/update-gyp.py +++ b/C14_ComponentDataBinding/InClass/angular-nested-component-input/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C14_ComponentDataBinding/InClass/angular-ngFor-input-decorator/node_modules/node-gyp/update-gyp.py b/C14_ComponentDataBinding/InClass/angular-ngFor-input-decorator/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C14_ComponentDataBinding/InClass/angular-ngFor-input-decorator/node_modules/node-gyp/update-gyp.py +++ b/C14_ComponentDataBinding/InClass/angular-ngFor-input-decorator/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C15_Directives/InClass/class-exercise-navbar-searchresults/node_modules/node-gyp/update-gyp.py b/C15_Directives/InClass/class-exercise-navbar-searchresults/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C15_Directives/InClass/class-exercise-navbar-searchresults/node_modules/node-gyp/update-gyp.py +++ b/C15_Directives/InClass/class-exercise-navbar-searchresults/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C15_Directives/InClass/inclass-code-directives-services/node_modules/node-gyp/update-gyp.py b/C15_Directives/InClass/inclass-code-directives-services/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C15_Directives/InClass/inclass-code-directives-services/node_modules/node-gyp/update-gyp.py +++ b/C15_Directives/InClass/inclass-code-directives-services/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C15_Directives/Videos/directive-app/node_modules/node-gyp/update-gyp.py b/C15_Directives/Videos/directive-app/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C15_Directives/Videos/directive-app/node_modules/node-gyp/update-gyp.py +++ b/C15_Directives/Videos/directive-app/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C17_Routing/InClass/book-app/node_modules/node-gyp/update-gyp.py b/C17_Routing/InClass/book-app/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C17_Routing/InClass/book-app/node_modules/node-gyp/update-gyp.py +++ b/C17_Routing/InClass/book-app/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C17_Routing/Videos/routing-start/node_modules/node-gyp/update-gyp.py b/C17_Routing/Videos/routing-start/node_modules/node-gyp/update-gyp.py index aa2bcb9eb..dd657c00e 100755 --- a/C17_Routing/Videos/routing-start/node_modules/node-gyp/update-gyp.py +++ b/C17_Routing/Videos/routing-start/node_modules/node-gyp/update-gyp.py @@ -34,7 +34,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C18_Obervables/InClass/basic-observable-ex/node_modules/node-gyp/update-gyp.py b/C18_Obervables/InClass/basic-observable-ex/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C18_Obervables/InClass/basic-observable-ex/node_modules/node-gyp/update-gyp.py +++ b/C18_Obervables/InClass/basic-observable-ex/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C18_Obervables/InClass/basic-pipe-math-ex/node_modules/node-gyp/update-gyp.py b/C18_Obervables/InClass/basic-pipe-math-ex/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C18_Obervables/InClass/basic-pipe-math-ex/node_modules/node-gyp/update-gyp.py +++ b/C18_Obervables/InClass/basic-pipe-math-ex/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C18_Obervables/Videos/obs-01-start/node_modules/node-gyp/update-gyp.py b/C18_Obervables/Videos/obs-01-start/node_modules/node-gyp/update-gyp.py index aa2bcb9eb..dd657c00e 100755 --- a/C18_Obervables/Videos/obs-01-start/node_modules/node-gyp/update-gyp.py +++ b/C18_Obervables/Videos/obs-01-start/node_modules/node-gyp/update-gyp.py @@ -34,7 +34,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C20_FormControl_Pipes/Videos/pipe-vid-exercise/node_modules/node-gyp/update-gyp.py b/C20_FormControl_Pipes/Videos/pipe-vid-exercise/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/C20_FormControl_Pipes/Videos/pipe-vid-exercise/node_modules/node-gyp/update-gyp.py +++ b/C20_FormControl_Pipes/Videos/pipe-vid-exercise/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/C22_HTTP/Videos/http-01-start/node_modules/node-gyp/update-gyp.py b/C22_HTTP/Videos/http-01-start/node_modules/node-gyp/update-gyp.py index aa2bcb9eb..dd657c00e 100755 --- a/C22_HTTP/Videos/http-01-start/node_modules/node-gyp/update-gyp.py +++ b/C22_HTTP/Videos/http-01-start/node_modules/node-gyp/update-gyp.py @@ -34,7 +34,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/angular-resume/node_modules/node-gyp/update-gyp.py b/angular-resume/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/angular-resume/node_modules/node-gyp/update-gyp.py +++ b/angular-resume/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/angular-sketchbook/node_modules/node-gyp/update-gyp.py b/angular-sketchbook/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/angular-sketchbook/node_modules/node-gyp/update-gyp.py +++ b/angular-sketchbook/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/angular-tour-of-heroes/node_modules/node-gyp/update-gyp.py b/angular-tour-of-heroes/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/angular-tour-of-heroes/node_modules/node-gyp/update-gyp.py +++ b/angular-tour-of-heroes/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH): diff --git a/angularfiebase-authentication/node_modules/node-gyp/update-gyp.py b/angularfiebase-authentication/node_modules/node-gyp/update-gyp.py index bb84f071a..73277d806 100755 --- a/angularfiebase-authentication/node_modules/node-gyp/update-gyp.py +++ b/angularfiebase-authentication/node_modules/node-gyp/update-gyp.py @@ -33,7 +33,26 @@ print("Unzipping...") with tarfile.open(tar_file, "r:gz") as tar_ref: - tar_ref.extractall(unzip_target) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner=numeric_owner) + + + safe_extract(tar_ref, unzip_target) print("Moving to current checkout (" + CHECKOUT_PATH + ")...") if os.path.exists(CHECKOUT_GYP_PATH):