CVE-2007-4559 Patch

[TrellixVulnTeam]

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

[codecov]

Codecov Report

Merging #829 (894faea) into master (d4a4499) will increase coverage by 0.76%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #829      +/-   ##
==========================================
+ Coverage   77.69%   78.46%   +0.76%     
==========================================
  Files          64       64              
  Lines        7246     7230      -16     
  Branches     1470     1465       -5     
==========================================
+ Hits         5630     5673      +43     
+ Misses       1302     1244      -58     
+ Partials      314      313       -1     

Impacted Files	Coverage Δ
signac/contrib/utility.py	53.42% <ø> (+1.57%)	⬆️
signac/__main__.py	71.96% <0.00%> (+0.22%)	⬆️
signac/contrib/indexing.py	71.22% <0.00%> (+0.47%)	⬆️
signac/core/synceddict.py	89.27% <0.00%> (+1.28%)	⬆️
signac/contrib/filesystems.py	54.20% <0.00%> (+2.80%)	⬆️
signac/core/json.py	86.66% <0.00%> (+10.00%)	⬆️
signac/synced_collections/numpy_utils.py	100.00% <0.00%> (+12.00%)	⬆️
signac/db/__init__.py	83.33% <0.00%> (+33.33%)	⬆️
...ac/synced_collections/backends/collection_redis.py	100.00% <0.00%> (+34.37%)	⬆️
.../synced_collections/backends/collection_mongodb.py	90.90% <0.00%> (+40.90%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[bdice]

I don’t have time to do a full review right now, but thank you for this! I am commenting to let the rest of the maintainer team know that this is a vulnerability I’ve heard about prior to this PR, and I think it’s worth patching in some way. I might like to refactor some portion of the fix but in principle I support it.

[tommy-waltmann]

A proper fix for this security bug should be in python's tarfile module, but until that happens, I'm in favor of this as a temporary security fix. Have the folks @TrellixVulnTeam started working towards getting this fixed upstream?

[bdice]

It appears that the best fix for this is to remove the function. _extract is never called in the codebase.