Fix code scanning alert #2: Arbitrary file write during tarfile extra…

…ction Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Jinzhe Zeng <[email protected]>
deepmodeling · Sep 18, 2024 · 5dccdf0 · 5dccdf0
1 parent 440bb82
commit 5dccdf0
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/source/install/build_tf.py b/source/install/build_tf.py
@@ -173,6 +173,8 @@ def is_within_directory(directory, target):
                 def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
                     for member in tar.getmembers():
                         member_path = os.path.join(path, member.name)
+                        if os.path.isabs(member.name) or ".." in Path(member.name).parts:
+                            raise Exception("Attempted Path Traversal in Tar File")
                         if not is_within_directory(path, member_path):
                             raise Exception("Attempted Path Traversal in Tar File")