From ae21283e19c16116c3581105c14738e8b2c4e92d Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Sat, 29 Oct 2022 10:20:59 +0000
Subject: [PATCH] Adding tarfile member sanitization to extractall()

---
 sysdiagnose-wifi-kml.py | 21 ++++++++++++++++++++-
 sysdiagnose-wifi-net.py | 24 +++++++++++++++++++++++-
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/sysdiagnose-wifi-kml.py b/sysdiagnose-wifi-kml.py
index 95a59bb..917d269 100644
--- a/sysdiagnose-wifi-kml.py
+++ b/sysdiagnose-wifi-kml.py
@@ -57,7 +57,26 @@
     # untar file first to current directory
     # tarfile.open currently Throws InvalidHeader error!
     with tarfile.open(options.inputfile, 'r:gz') as t:
-        t.extractall('./')
+        def is_within_directory(directory, target):
+            
+            abs_directory = os.path.abspath(directory)
+            abs_target = os.path.abspath(target)
+        
+            prefix = os.path.commonprefix([abs_directory, abs_target])
+            
+            return prefix == abs_directory
+        
+        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+        
+            for member in tar.getmembers():
+                member_path = os.path.join(path, member.name)
+                if not is_within_directory(path, member_path):
+                    raise Exception("Attempted Path Traversal in Tar File")
+        
+            tar.extractall(path, members, numeric_owner=numeric_owner) 
+            
+        
+        safe_extract(t, "./")
    
     # does not get here due to exception ... todo
     
diff --git a/sysdiagnose-wifi-net.py b/sysdiagnose-wifi-net.py
index 94fd854..2544eb1 100644
--- a/sysdiagnose-wifi-net.py
+++ b/sysdiagnose-wifi-net.py
@@ -53,7 +53,29 @@
     # untar file first to current directory
     # tarfile.open Throws InvalidHeader error!
     with tarfile.open(options.inputfile, 'r:gz') as t:
-        t.extractall('./')
+        
+        import os
+        
+        def is_within_directory(directory, target):
+            
+            abs_directory = os.path.abspath(directory)
+            abs_target = os.path.abspath(target)
+        
+            prefix = os.path.commonprefix([abs_directory, abs_target])
+            
+            return prefix == abs_directory
+        
+        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+        
+            for member in tar.getmembers():
+                member_path = os.path.join(path, member.name)
+                if not is_within_directory(path, member_path):
+                    raise Exception("Attempted Path Traversal in Tar File")
+        
+            tar.extractall(path, members, numeric_owner=numeric_owner) 
+            
+        
+        safe_extract(t, "./")
     # does not get here due to exception ... todo
    
     # readfile = ass-ume extracted name is same as input name minus the .tgz