Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py and luigi/contrib/sge_runner.py #3309

Merged
merged 1 commit into from
Sep 7, 2024
Merged

Fix arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py and luigi/contrib/sge_runner.py #3309

merged 1 commit into from
Sep 7, 2024

Conversation

Ali-Razmjoo
Copy link
Contributor

@Ali-Razmjoo Ali-Razmjoo commented Sep 4, 2024
edited
Loading

Fixes #3302 and #3301

This pull request introduces a new SafeExtractor class to securely handle tar file extraction and replaces the existing tar extraction logic in lsf_runner.py and sge_runner.py with this new class. Additionally, it includes tests to validate the functionality of SafeExtractor.

Introduction of SafeExtractor class:

  • luigi/safe_extractor.py: Added a new SafeExtractor class to securely extract tar files and prevent path traversal vulnerabilities. This class ensures that extracted file paths are validated before extraction.

Refactoring to use SafeExtractor:

  • luigi/contrib/lsf_runner.py: Replaced the existing tar extraction logic with the SafeExtractor class in the do_work_on_compute_node and extract_packages_archive functions. [1] [2]
  • luigi/contrib/sge_runner.py: Updated the _do_work_on_compute_node and _extract_packages_archive functions to use the SafeExtractor class for tar extraction. [1] [2]

Addition of tests for SafeExtractor:

  • test/contrib/lsf_test.py: Added unit tests for the SafeExtractor class to ensure it correctly extracts files and handles path traversal attempts. [1] [2]

@Ali-Razmjoo Ali-Razmjoo requested review from dlstadther and a team as code owners September 4, 2024 13:19
@Ali-Razmjoo Ali-Razmjoo changed the title Fix arbitrary file write during tarfile extraction Fix arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py and luigi/contrib/sge_runner.py Sep 4, 2024
@Ali-Razmjoo Ali-Razmjoo force-pushed the fix-tarfile-extraction branch 2 times, most recently from bd84560 to 89481fe Compare September 5, 2024 17:10
dlstadther
dlstadther requested changes Sep 5, 2024
View reviewed changes
test/contrib/lsf_test.py Outdated Show resolved Hide resolved
test/contrib/lsf_test.py Outdated Show resolved Hide resolved
luigi/safe_extractor.py Outdated Show resolved Hide resolved
@Ali-Razmjoo Ali-Razmjoo force-pushed the fix-tarfile-extraction branch 4 times, most recently from d7bccbb to 319434a Compare September 6, 2024 09:54
dlstadther
dlstadther approved these changes Sep 7, 2024
View reviewed changes
Copy link
Collaborator

@dlstadther dlstadther left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@dlstadther dlstadther merged commit b5d1b96 into spotify:master Sep 7, 2024
49 of 51 checks passed
@Ali-Razmjoo Ali-Razmjoo mentioned this pull request Sep 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlstadther dlstadther dlstadther approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py
2 participants
@Ali-Razmjoo @dlstadther