From 80cd4d893ad450500503dc6e5deeb37df5988bcf Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Wed, 19 Oct 2022 10:48:48 +0000
Subject: [PATCH] Adding tarfile member sanitization to extractall()

---
 DataCompressionArchiving/tarFileSubset.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/DataCompressionArchiving/tarFileSubset.py b/DataCompressionArchiving/tarFileSubset.py
index d4959b5..524a045 100644
--- a/DataCompressionArchiving/tarFileSubset.py
+++ b/DataCompressionArchiving/tarFileSubset.py
@@ -60,4 +60,23 @@
 if not os.path.exists(target):
  	os.mkdir(target)
 with tarfile.open("test3.tar") as tar:
-	tar.extractall(target)
\ No newline at end of file
+def is_within_directory(directory, target):
+	
+	abs_directory = os.path.abspath(directory)
+	abs_target = os.path.abspath(target)
+
+	prefix = os.path.commonprefix([abs_directory, abs_target])
+	
+	return prefix == abs_directory
+
+def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+	for member in tar.getmembers():
+		member_path = os.path.join(path, member.name)
+		if not is_within_directory(path, member_path):
+			raise Exception("Attempted Path Traversal in Tar File")
+
+	tar.extractall(path, members, numeric_owner=numeric_owner) 
+	
+
+safe_extract(tar, target)
\ No newline at end of file