Bug 1806899 - Sanitize extractall input (remaining) r=jcristau

Update remaining tar extractions in m-c. Differential Revision: https://phabricator.services.mozilla.com/D169388
iaxat · Feb 14, 2023 · 4bd3399 · 4bd3399
1 parent 9c8a1d5
commit 4bd3399
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/dom/media/webrtc/third_party_build/vendor-libwebrtc.py b/dom/media/webrtc/third_party_build/vendor-libwebrtc.py
@@ -5,6 +5,7 @@
 import datetime
 import os
 import shutil
+import stat
 import subprocess
 import sys
 import tarfile
@@ -111,14 +112,38 @@ def fetch_local(target, path, commit):
     shutil.move(os.path.join(path, target_archive), target_archive)
 
 
+def validate_tar_member(member, path):
+    def _is_within_directory(directory, target):
+        abs_directory = os.path.abspath(directory)
+        abs_target = os.path.abspath(target)
+        prefix = os.path.commonprefix([abs_directory, abs_target])
+        return prefix == abs_directory
+
+    member_path = os.path.join(path, member.name)
+    if not _is_within_directory(path, member_path):
+        raise Exception("Attempted path traversal in tar file: " + member.name)
+    if member.mode & (stat.S_ISUID | stat.S_ISGID):
+        raise Exception("Attempted setuid or setgid in tar file: " + member.name)
+
+
+def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+    def _files(tar, path):
+        for member in tar:
+            validate_tar_member(member, path)
+            yield member
+
+    tar.extractall(path, members=_files(tar, path), numeric_owner=numeric_owner)
+
+
 def unpack(target):
     target_archive = target + ".tar.gz"
     target_path = "tmp-" + target
     try:
         shutil.rmtree(target_path)
     except FileNotFoundError:
         pass
-    tarfile.open(target_archive).extractall(path=target_path)
+    with tarfile.open(target_archive) as t:
+        safe_extract(t, path=target_path)
     libwebrtc_used_in_firefox = os.listdir(target_path)
 
     if target == "libwebrtc":