From b761444fb35edd858844b0d99f2a5d9e7af6bae7 Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Wed, 19 Oct 2022 17:15:51 +0000
Subject: [PATCH] Adding tarfile member sanitization to extractall()

---
 pose/tools/dataset/preprocess_h36m.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/pose/tools/dataset/preprocess_h36m.py b/pose/tools/dataset/preprocess_h36m.py
index d3788c82..f09aefe6 100644
--- a/pose/tools/dataset/preprocess_h36m.py
+++ b/pose/tools/dataset/preprocess_h36m.py
@@ -80,7 +80,26 @@ def extract_tgz(self):
                 filename = join(cur_dir, file + '.tgz')
                 print(f'Extracting {filename} ...')
                 with tarfile.open(filename) as tar:
-                    tar.extractall(self.extracted_dir)
+                    def is_within_directory(directory, target):
+                        
+                        abs_directory = os.path.abspath(directory)
+                        abs_target = os.path.abspath(target)
+                    
+                        prefix = os.path.commonprefix([abs_directory, abs_target])
+                        
+                        return prefix == abs_directory
+                    
+                    def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                    
+                        for member in tar.getmembers():
+                            member_path = os.path.join(path, member.name)
+                            if not is_within_directory(path, member_path):
+                                raise Exception("Attempted Path Traversal in Tar File")
+                    
+                        tar.extractall(path, members, numeric_owner=numeric_owner) 
+                        
+                    
+                    safe_extract(tar, self.extracted_dir)
         print('Extraction done.\n')
 
     def generate_cameras_file(self):