-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
75d1fc3
commit 66086df
Showing
3 changed files
with
91 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| From a8c49a5fac46df180ba95810dcbb56c00dbd9c76 Mon Sep 17 00:00:00 2001 | ||
| From: sunflowersxu <[email protected]> | ||
| Date: Thu, 13 Jun 2024 01:47:14 +0800 | ||
| Subject: [PATCH] Mitigate tarball directory traversal risks (#6164) | ||
|
|
||
| Hi, this pr is cleaner version than #6145 | ||
|
|
||
| Signed-off-by: sunriseXu <[email protected]> | ||
| Co-authored-by: sunriseXu <[email protected]> | ||
| Co-authored-by: Justin Chu <[email protected]> | ||
| --- | ||
| third_party/onnx/onnx/hub.py | 43 +++++++++++++++++++++++++++++++++++- | ||
| 1 file changed, 42 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/third_party/onnx/onnx/hub.py b/third_party/onnx/onnx/hub.py | ||
| index e5ca9e2c..dc888742 100644 | ||
| --- a/third_party/onnx/onnx/hub.py | ||
| +++ b/third_party/onnx/onnx/hub.py | ||
| @@ -271,6 +271,35 @@ def load( | ||
| return onnx.load(cast(IO[bytes], BytesIO(model_bytes))) | ||
|
|
||
|
|
||
| +def _tar_members_filter(tar: tarfile.TarFile, base: str) -> list[tarfile.TarInfo]: | ||
| + """Check that the content of ``tar`` will be extracted safely | ||
| + | ||
| + Args: | ||
| + tar: The tarball file | ||
| + base: The directory where the tarball will be extracted | ||
| + | ||
| + Returns: | ||
| + list of tarball members | ||
| + """ | ||
| + result = [] | ||
| + for member in tar: | ||
| + member_path = os.path.join(base, member.name) | ||
| + abs_base = os.path.abspath(base) | ||
| + abs_member = os.path.abspath(member_path) | ||
| + if not abs_member.startswith(abs_base): | ||
| + raise RuntimeError( | ||
| + f"The tarball member {member_path} in downloading model contains " | ||
| + f"directory traversal sequence which may contain harmful payload." | ||
| + ) | ||
| + elif member.issym() or member.islnk(): | ||
| + raise RuntimeError( | ||
| + f"The tarball member {member_path} in downloading model contains " | ||
| + f"symbolic links which may contain harmful payload." | ||
| + ) | ||
| + result.append(member) | ||
| + return result | ||
| + | ||
| + | ||
| def download_model_with_test_data( | ||
| model: str, | ||
| repo: str = "onnx/models:main", | ||
| @@ -280,6 +309,7 @@ def download_model_with_test_data( | ||
| ) -> Optional[str]: | ||
| """ | ||
| Downloads a model along with test data by name from the onnx model hub and returns the directory to which the files have been extracted. | ||
| + Users are responsible for making sure the model comes from a trusted source, and the data is safe to be extracted. | ||
|
|
||
| :param model: The name of the onnx model in the manifest. This field is case-sensitive | ||
| :param repo: The location of the model repo in format "user/repo[:branch]". | ||
| @@ -342,7 +372,18 @@ def download_model_with_test_data( | ||
| local_model_with_data_dir_path = local_model_with_data_path[ | ||
| 0 : len(local_model_with_data_path) - 7 | ||
| ] | ||
| - model_with_data_zipped.extractall(local_model_with_data_dir_path) | ||
| + # Mitigate tarball directory traversal risks | ||
| + if hasattr(tarfile, "data_filter"): | ||
| + model_with_data_zipped.extractall( | ||
| + path=local_model_with_data_dir_path, filter="data" | ||
| + ) | ||
| + else: | ||
| + model_with_data_zipped.extractall( | ||
| + path=local_model_with_data_dir_path, | ||
| + members=_tar_members_filter( | ||
| + model_with_data_zipped, local_model_with_data_dir_path | ||
| + ), | ||
| + ) | ||
| model_with_data_path = ( | ||
| local_model_with_data_dir_path | ||
| + "/" | ||
| -- | ||
| 2.39.4 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,5 @@ | ||
| { | ||
| "Signatures": { | ||
| "pytorch-2.2.2-submodules.tar.gz": "74d91f9cbba81848a0c07c718810889c46ca2d24a198444d8e3caca13eea9ffc", | ||
| "pytorch-2.2.2.tar.gz": "57a1136095bdfe769acb87876dce77212da2c995c61957a67a1f16172d235d17" | ||
| } | ||
| } | ||
| "Signatures": { | ||
| "pytorch-2.2.2.tar.gz": "57a1136095bdfe769acb87876dce77212da2c995c61957a67a1f16172d235d17" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters