Fix arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py and luigi/contrib/sge_runner.py #3309
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3302 and #3301
This pull request introduces a new
SafeExtractor
class to securely handle tar file extraction and replaces the existing tar extraction logic inlsf_runner.py
andsge_runner.py
with this new class. Additionally, it includes tests to validate the functionality ofSafeExtractor
.Introduction of
SafeExtractor
class:luigi/safe_extractor.py
: Added a newSafeExtractor
class to securely extract tar files and prevent path traversal vulnerabilities. This class ensures that extracted file paths are validated before extraction.Refactoring to use
SafeExtractor
:luigi/contrib/lsf_runner.py
: Replaced the existing tar extraction logic with theSafeExtractor
class in thedo_work_on_compute_node
andextract_packages_archive
functions. [1] [2]luigi/contrib/sge_runner.py
: Updated the_do_work_on_compute_node
and_extract_packages_archive
functions to use theSafeExtractor
class for tar extraction. [1] [2]Addition of tests for
SafeExtractor
:test/contrib/lsf_test.py
: Added unit tests for theSafeExtractor
class to ensure it correctly extracts files and handles path traversal attempts. [1] [2]