From 64e9d4699baf35168ed9cb3b515e3a794d1c7ec5 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Sat, 1 Oct 2022 18:08:39 +0000 Subject: [PATCH 1/2] Adding tarfile member sanitization to extractall() --- 068_Textured_3D_GANs/setup_imagenet.py | 21 ++++++- .../torchmeta/datasets/cifar100/base.py | 21 ++++++- .../torchmeta/datasets/cub.py | 21 ++++++- .../torchmeta/datasets/miniimagenet.py | 21 ++++++- .../torchmeta/datasets/tieredimagenet.py | 21 ++++++- .../torchmeta/datasets/cifar100/base.py | 21 ++++++- .../torchmeta/datasets/cub.py | 21 ++++++- .../torchmeta/datasets/miniimagenet.py | 21 ++++++- .../torchmeta/datasets/tieredimagenet.py | 21 ++++++- .../mmseg/tools/convert_datasets/stare.py | 63 ++++++++++++++++++- .../deeplabcut/utils/auxfun_models.py | 42 ++++++++++++- 115_ViLBERT_Intuition/vilbert/basebert.py | 21 ++++++- 115_ViLBERT_Intuition/vilbert/vilbert.py | 21 ++++++- .../tools/convert_datasets/stare.py | 63 ++++++++++++++++++- .../torchmeta/datasets/cifar100/base.py | 21 ++++++- .../torchmeta/datasets/cub.py | 21 ++++++- .../torchmeta/datasets/miniimagenet.py | 21 ++++++- .../torchmeta/datasets/pascal5i.py | 21 ++++++- .../torchmeta/datasets/tieredimagenet.py | 21 ++++++- .../estimator/data/prepare_data_2d_h36m_sh.py | 21 ++++++- .../media_sequence/kinetics_dataset.py | 42 ++++++++++++- .../python/utility/SetupUtility.py | 21 ++++++- .../ldm/data/imagenet.py | 63 ++++++++++++++++++- 23 files changed, 620 insertions(+), 31 deletions(-) diff --git a/068_Textured_3D_GANs/setup_imagenet.py b/068_Textured_3D_GANs/setup_imagenet.py index d188be2d3a..0e8b41e8b1 100644 --- a/068_Textured_3D_GANs/setup_imagenet.py +++ b/068_Textured_3D_GANs/setup_imagenet.py @@ -76,7 +76,26 @@ print(f'Extracting {dir_path}.tar to {target_path}') with tarfile.open(dir_path + '.tar') as tar: pathlib.Path(target_path).mkdir(parents=True, exist_ok=False) - tar.extractall(target_path) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, target_path) else: print(f'Skipping {synset} (not found)') diff --git a/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py b/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py index c28a880a07..2acd9657c2 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py @@ -100,7 +100,26 @@ def download(self): download_url(self.download_url, self.root, filename=gz_filename, md5=self.gz_md5) with tarfile.open(os.path.join(self.root, gz_filename), 'r:gz') as tar: - tar.extractall(path=self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=self.root) train_filename = os.path.join(self.root, self.gz_folder, 'train') check_integrity(train_filename, self.files_md5['train']) diff --git a/092_SIRENS_Intuition/torchmeta/datasets/cub.py b/092_SIRENS_Intuition/torchmeta/datasets/cub.py index ae16f3c7d9..877f4b1d79 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/cub.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/cub.py @@ -183,7 +183,26 @@ def download(self): tgz_filename = os.path.join(self.root, filename) with tarfile.open(tgz_filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) image_folder = os.path.join(self.root, self.image_folder) for split in ['train', 'val', 'test']: diff --git a/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py b/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py index 1667eaf821..7087c81c58 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py @@ -175,7 +175,26 @@ def download(self): filename = os.path.join(self.root, self.gz_filename) with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) for split in ['train', 'val', 'test']: filename = os.path.join(self.root, self.filename.format(split)) diff --git a/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py b/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py index de441f96fa..e592e6bf75 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py @@ -182,7 +182,26 @@ def download(self): filename = os.path.join(self.root, self.tar_filename) with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) tar_folder = os.path.join(self.root, self.tar_folder) for split in ['train', 'val', 'test']: diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py index c28a880a07..2acd9657c2 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py @@ -100,7 +100,26 @@ def download(self): download_url(self.download_url, self.root, filename=gz_filename, md5=self.gz_md5) with tarfile.open(os.path.join(self.root, gz_filename), 'r:gz') as tar: - tar.extractall(path=self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=self.root) train_filename = os.path.join(self.root, self.gz_folder, 'train') check_integrity(train_filename, self.files_md5['train']) diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py index ae16f3c7d9..877f4b1d79 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py @@ -183,7 +183,26 @@ def download(self): tgz_filename = os.path.join(self.root, filename) with tarfile.open(tgz_filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) image_folder = os.path.join(self.root, self.image_folder) for split in ['train', 'val', 'test']: diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py index 1667eaf821..7087c81c58 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py @@ -175,7 +175,26 @@ def download(self): filename = os.path.join(self.root, self.gz_filename) with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) for split in ['train', 'val', 'test']: filename = os.path.join(self.root, self.filename.format(split)) diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py index de441f96fa..e592e6bf75 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py @@ -182,7 +182,26 @@ def download(self): filename = os.path.join(self.root, self.tar_filename) with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) tar_folder = os.path.join(self.root, self.tar_folder) for split in ['train', 'val', 'test']: diff --git a/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py b/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py index 6238d62f64..4cea4a8b0d 100644 --- a/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py +++ b/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py @@ -55,7 +55,26 @@ def main(): print('Extracting stare-images.tar...') with tarfile.open(image_path) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( @@ -90,7 +109,26 @@ def main(): print('Extracting labels-ah.tar...') with tarfile.open(labels_ah) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( @@ -129,7 +167,26 @@ def main(): print('Extracting labels-vk.tar...') with tarfile.open(labels_vk) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( diff --git a/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py b/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py index 5f168317a0..0a58eda418 100644 --- a/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py +++ b/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py @@ -88,7 +88,26 @@ def Downloadweights(modeltype, model_path): print("Downloading a ImageNet-pretrained model from {}....".format(url)) response = urllib.request.urlopen(url) with tarfile.open(fileobj=BytesIO(response.read()), mode="r:gz") as tar: - tar.extractall(path=target_dir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=target_dir) except KeyError: print("Model does not exist: ", modeltype) print("Pick one of the following: ", neturls.keys()) @@ -139,7 +158,26 @@ def tarfilenamecutting(tarf): pbar = tqdm(unit="B", total=total_size, position=0) filename, _ = urllib.request.urlretrieve(url, reporthook=show_progress) with tarfile.open(filename, mode="r:gz") as tar: - tar.extractall(target_dir, members=tarfilenamecutting(tar)) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, target_dir, members=tarfilenamecutting(tar)) else: models = [ fn diff --git a/115_ViLBERT_Intuition/vilbert/basebert.py b/115_ViLBERT_Intuition/vilbert/basebert.py index f30b301993..c793a903af 100644 --- a/115_ViLBERT_Intuition/vilbert/basebert.py +++ b/115_ViLBERT_Intuition/vilbert/basebert.py @@ -188,7 +188,26 @@ def from_pretrained( ) ) with tarfile.open(resolved_archive_file, "r:gz") as archive: - archive.extractall(tempdir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(archive, tempdir) serialization_dir = tempdir # Load config # config_file = os.path.join(serialization_dir, CONFIG_NAME) diff --git a/115_ViLBERT_Intuition/vilbert/vilbert.py b/115_ViLBERT_Intuition/vilbert/vilbert.py index d4e6a62496..f30d996061 100644 --- a/115_ViLBERT_Intuition/vilbert/vilbert.py +++ b/115_ViLBERT_Intuition/vilbert/vilbert.py @@ -1163,7 +1163,26 @@ def from_pretrained( ) ) with tarfile.open(resolved_archive_file, "r:gz") as archive: - archive.extractall(tempdir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(archive, tempdir) serialization_dir = tempdir # Load config # config_file = os.path.join(serialization_dir, CONFIG_NAME) diff --git a/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py b/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py index 29b78c0003..00578588bf 100644 --- a/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py +++ b/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py @@ -56,7 +56,26 @@ def main(): print('Extracting stare-images.tar...') with tarfile.open(image_path) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( @@ -91,7 +110,26 @@ def main(): print('Extracting labels-ah.tar...') with tarfile.open(labels_ah) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( @@ -130,7 +168,26 @@ def main(): print('Extracting labels-vk.tar...') with tarfile.open(labels_vk) as f: - f.extractall(osp.join(tmp_dir, 'gz')) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, osp.join(tmp_dir,"gz")) for filename in os.listdir(osp.join(tmp_dir, 'gz')): un_gz( diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py index c28a880a07..2acd9657c2 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py @@ -100,7 +100,26 @@ def download(self): download_url(self.download_url, self.root, filename=gz_filename, md5=self.gz_md5) with tarfile.open(os.path.join(self.root, gz_filename), 'r:gz') as tar: - tar.extractall(path=self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=self.root) train_filename = os.path.join(self.root, self.gz_folder, 'train') check_integrity(train_filename, self.files_md5['train']) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py index 995baee039..16ed986f5f 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py @@ -186,7 +186,26 @@ def download(self): tgz_filename = os.path.join(self.root, self.tgz_filename) with tarfile.open(tgz_filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) image_folder = os.path.join(self.root, self.image_folder) for split in ['train', 'val', 'test']: diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py index bf3ed9efbe..bed6e50b3a 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py @@ -176,7 +176,26 @@ def download(self): filename = os.path.join(self.root, self.gz_filename) with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) for split in ['train', 'val', 'test']: filename = os.path.join(self.root, self.filename.format(split)) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py index 2523716c95..f0b461dee7 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py @@ -239,7 +239,26 @@ def download(self): f.extractall(self.root) elif 'tar' in dload['filename']: with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) class PascalDataset(Dataset): def __init__(self, index, data, class_id, diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py index f793d66e2f..56a6cad46c 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py @@ -183,7 +183,26 @@ def download(self): filename = os.path.join(self.root, self.tar_filename) with tarfile.open(filename, 'r') as f: - f.extractall(self.root) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(f, self.root) tar_folder = os.path.join(self.root, self.tar_folder) for split in ['train', 'val', 'test']: diff --git a/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py b/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py index c5f6030edd..558f7313be 100644 --- a/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py +++ b/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py @@ -94,7 +94,26 @@ def process_subject(subject, file_list, output): print('Converting fine-tuned dataset from', args.fine_tuned) print('Extracting...') with tarfile.open(args.fine_tuned, 'r:gz') as archive: - archive.extractall('sh_ft') + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(archive, "sh_ft") print('Converting...') output = {} diff --git a/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py b/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py index eafe18f77d..4df4304c72 100644 --- a/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py +++ b/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py @@ -341,12 +341,50 @@ def _download_data(self, download_labels_for_map): if not tf.io.gfile.exists(tar_path): urlretrieve(ANNOTATION_URL, tar_path) with tarfile.open(tar_path) as annotations_tar: - annotations_tar.extractall(self.path_to_data) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(annotations_tar, self.path_to_data) for split in ["train", "test", "validate"]: csv_path = os.path.join(self.path_to_data, "kinetics700/%s.csv" % split) if not tf.io.gfile.exists(csv_path): with tarfile.open(tar_path) as annotations_tar: - annotations_tar.extractall(self.path_to_data) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(annotations_tar, self.path_to_data) paths[split] = csv_path for split, contents in SPLITS.items(): if "csv" in contents and contents["csv"]: diff --git a/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py b/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py index 1a6013adf2..c8a1ee70de 100644 --- a/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py +++ b/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py @@ -306,7 +306,26 @@ def extract_file(output_dir: str, file: str, mode: str = "ZIP"): tar.extractall(str(output_dir)) elif mode.lower() == "tar": with tarfile.open(file) as tar: - tar.extractall(str(output_dir)) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, str(output_dir)) else: raise Exception("No such mode: " + mode) diff --git a/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py b/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py index 1c473f9c69..88e3a7e1bf 100644 --- a/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py +++ b/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py @@ -174,7 +174,26 @@ def _prepare(self): print("Extracting {} to {}".format(path, datadir)) os.makedirs(datadir, exist_ok=True) with tarfile.open(path, "r:") as tar: - tar.extractall(path=datadir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=datadir) print("Extracting sub-tars.") subpaths = sorted(glob.glob(os.path.join(datadir, "*.tar"))) @@ -182,7 +201,26 @@ def _prepare(self): subdir = subpath[:-len(".tar")] os.makedirs(subdir, exist_ok=True) with tarfile.open(subpath, "r:") as tar: - tar.extractall(path=subdir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=subdir) filelist = glob.glob(os.path.join(datadir, "**", "*.JPEG")) filelist = [os.path.relpath(p, start=datadir) for p in filelist] @@ -239,7 +277,26 @@ def _prepare(self): print("Extracting {} to {}".format(path, datadir)) os.makedirs(datadir, exist_ok=True) with tarfile.open(path, "r:") as tar: - tar.extractall(path=datadir) + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + + safe_extract(tar, path=datadir) vspath = os.path.join(self.root, self.FILES[1]) if not os.path.exists(vspath) or not os.path.getsize(vspath)==self.SIZES[1]: From f26737b6f96acf6c55784cec4e1a0547a46f4382 Mon Sep 17 00:00:00 2001 From: TrellixVulnTeam Date: Tue, 4 Oct 2022 06:34:57 +0000 Subject: [PATCH 2/2] Adding numeric_owner as keyword arguement --- 068_Textured_3D_GANs/setup_imagenet.py | 2 +- 092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py | 2 +- 092_SIRENS_Intuition/torchmeta/datasets/cub.py | 2 +- 092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py | 2 +- 092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py | 2 +- .../torchmeta/datasets/cifar100/base.py | 2 +- .../torchmeta/datasets/cub.py | 2 +- .../torchmeta/datasets/miniimagenet.py | 2 +- .../torchmeta/datasets/tieredimagenet.py | 2 +- .../DaViT/mmseg/tools/convert_datasets/stare.py | 6 +++--- .../deeplabcut/utils/auxfun_models.py | 4 ++-- 115_ViLBERT_Intuition/vilbert/basebert.py | 2 +- 115_ViLBERT_Intuition/vilbert/vilbert.py | 2 +- .../Semantic Segmentation/tools/convert_datasets/stare.py | 6 +++--- .../torchmeta/datasets/cifar100/base.py | 2 +- .../torchmeta/datasets/cub.py | 2 +- .../torchmeta/datasets/miniimagenet.py | 2 +- .../torchmeta/datasets/pascal5i.py | 2 +- .../torchmeta/datasets/tieredimagenet.py | 2 +- .../estimator/data/prepare_data_2d_h36m_sh.py | 2 +- .../examples/desktop/media_sequence/kinetics_dataset.py | 4 ++-- .../blenderproc/python/utility/SetupUtility.py | 2 +- .../ldm/data/imagenet.py | 6 +++--- 23 files changed, 31 insertions(+), 31 deletions(-) diff --git a/068_Textured_3D_GANs/setup_imagenet.py b/068_Textured_3D_GANs/setup_imagenet.py index 0e8b41e8b1..1c655c4471 100644 --- a/068_Textured_3D_GANs/setup_imagenet.py +++ b/068_Textured_3D_GANs/setup_imagenet.py @@ -92,7 +92,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, target_path) diff --git a/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py b/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py index 2acd9657c2..fcdc665392 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/cifar100/base.py @@ -116,7 +116,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=self.root) diff --git a/092_SIRENS_Intuition/torchmeta/datasets/cub.py b/092_SIRENS_Intuition/torchmeta/datasets/cub.py index 877f4b1d79..e710500b71 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/cub.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/cub.py @@ -199,7 +199,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py b/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py index 7087c81c58..9f78bd53b4 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/miniimagenet.py @@ -191,7 +191,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py b/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py index e592e6bf75..2ef8031123 100644 --- a/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py +++ b/092_SIRENS_Intuition/torchmeta/datasets/tieredimagenet.py @@ -198,7 +198,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py index 2acd9657c2..fcdc665392 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cifar100/base.py @@ -116,7 +116,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=self.root) diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py index 877f4b1d79..e710500b71 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/cub.py @@ -199,7 +199,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py index 7087c81c58..9f78bd53b4 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/miniimagenet.py @@ -191,7 +191,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py index e592e6bf75..2ef8031123 100644 --- a/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py +++ b/093_Neural_Volumes/Fast_Training_of_Neural_Lumigraph_Representations_using_Meta_Learning/torchmeta/datasets/tieredimagenet.py @@ -198,7 +198,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py b/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py index 4cea4a8b0d..58de7ca8c0 100644 --- a/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py +++ b/099_Vision_Transformer_A_Comprehensive_Intuition/DaViT/mmseg/tools/convert_datasets/stare.py @@ -71,7 +71,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, osp.join(tmp_dir,"gz")) @@ -125,7 +125,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, osp.join(tmp_dir,"gz")) @@ -183,7 +183,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, osp.join(tmp_dir,"gz")) diff --git a/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py b/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py index 0a58eda418..f79b2cee58 100644 --- a/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py +++ b/104_MultiAnimal_Pose_Estimation_Identification_and_tracking_with_DeepLabCut/deeplabcut/utils/auxfun_models.py @@ -104,7 +104,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=target_dir) @@ -174,7 +174,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, target_dir, members=tarfilenamecutting(tar)) diff --git a/115_ViLBERT_Intuition/vilbert/basebert.py b/115_ViLBERT_Intuition/vilbert/basebert.py index c793a903af..a4952f4e04 100644 --- a/115_ViLBERT_Intuition/vilbert/basebert.py +++ b/115_ViLBERT_Intuition/vilbert/basebert.py @@ -204,7 +204,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(archive, tempdir) diff --git a/115_ViLBERT_Intuition/vilbert/vilbert.py b/115_ViLBERT_Intuition/vilbert/vilbert.py index f30d996061..699a39b7e6 100644 --- a/115_ViLBERT_Intuition/vilbert/vilbert.py +++ b/115_ViLBERT_Intuition/vilbert/vilbert.py @@ -1179,7 +1179,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(archive, tempdir) diff --git a/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py b/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py index 00578588bf..b3002dd1dc 100644 --- a/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py +++ b/123_An_Empirical_Study_of_Remote_Sensing_Pretraining/Semantic Segmentation/tools/convert_datasets/stare.py @@ -72,7 +72,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, osp.join(tmp_dir,"gz")) @@ -126,7 +126,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, osp.join(tmp_dir,"gz")) @@ -184,7 +184,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, osp.join(tmp_dir,"gz")) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py index 2acd9657c2..fcdc665392 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cifar100/base.py @@ -116,7 +116,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=self.root) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py index 16ed986f5f..3570218514 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/cub.py @@ -202,7 +202,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py index bed6e50b3a..3bb9303023 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/miniimagenet.py @@ -192,7 +192,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py index f0b461dee7..00fd1a7906 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/pascal5i.py @@ -255,7 +255,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py index 56a6cad46c..94fb51e01c 100644 --- a/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py +++ b/130_Unsupervised_Discovery_and_Composition_of_Object_Light_Fields/torchmeta/datasets/tieredimagenet.py @@ -199,7 +199,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(f, self.root) diff --git a/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py b/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py index 558f7313be..d7623433fb 100644 --- a/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py +++ b/134_PoseTriplet_CoEvolving_3D_Human_Pose_Estimation_Imitation_and_Hallucination_under_Self_Supervision/estimator/data/prepare_data_2d_h36m_sh.py @@ -110,7 +110,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(archive, "sh_ft") diff --git a/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py b/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py index 4df4304c72..71543d5b7e 100644 --- a/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py +++ b/178_BlazePose_GHUM_Holistic_Intuition/mediapipe/examples/desktop/media_sequence/kinetics_dataset.py @@ -357,7 +357,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(annotations_tar, self.path_to_data) @@ -381,7 +381,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(annotations_tar, self.path_to_data) diff --git a/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py b/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py index c8a1ee70de..b5bbb0bfd3 100644 --- a/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py +++ b/204_BlenderProc_Intuition/blenderproc/python/utility/SetupUtility.py @@ -322,7 +322,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, str(output_dir)) diff --git a/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py b/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py index 88e3a7e1bf..804c58d13f 100644 --- a/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py +++ b/228_HighResolution_Image_Synthesis_with_LDM/ldm/data/imagenet.py @@ -190,7 +190,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=datadir) @@ -217,7 +217,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=subdir) @@ -293,7 +293,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): if not is_within_directory(path, member_path): raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner) + tar.extractall(path, members, numeric_owner=numeric_owner) safe_extract(tar, path=datadir)