From 2d573daa882ce337858f15081759f2cd6f4f548f Mon Sep 17 00:00:00 2001 From: YuchenJin Date: Tue, 10 Jan 2023 09:33:34 -0800 Subject: [PATCH 1/3] CVE-2007-4559 patch. --- .../template_project/microtvm_api_server.py | 21 +++++++++++++++++-- .../template_project/microtvm_api_server.py | 21 ++++++++++++++++++- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/apps/microtvm/arduino/template_project/microtvm_api_server.py b/apps/microtvm/arduino/template_project/microtvm_api_server.py index f121238a678d..dbee17feafa5 100644 --- a/apps/microtvm/arduino/template_project/microtvm_api_server.py +++ b/apps/microtvm/arduino/template_project/microtvm_api_server.py @@ -177,11 +177,28 @@ def _remove_unused_components(self, source_dir, project_type): for component in unused_components: shutil.rmtree(source_dir / "standalone_crt" / component) + def _safe_extract(tar, path=".", members=None, *, numeric_owner=False): + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + def _disassemble_mlf(self, mlf_tar_path, source_dir): with tempfile.TemporaryDirectory() as mlf_unpacking_dir_str: mlf_unpacking_dir = pathlib.Path(mlf_unpacking_dir_str) with tarfile.open(mlf_tar_path, "r:") as tar: - tar.extractall(mlf_unpacking_dir) + self._safe_extract(tar, mlf_unpacking_dir) model_dir = source_dir / "model" model_dir.mkdir() @@ -430,7 +447,7 @@ def generate_project(self, model_library_format_path, standalone_crt_dir, projec # Populate extra_files if extra_files_tar: with tarfile.open(extra_files_tar, mode="r:*") as tf: - tf.extractall(project_dir) + self._safe_extract(tf, project_dir) build_extra_flags = '"build.extra_flags=' if extra_files_tar: diff --git a/apps/microtvm/zephyr/template_project/microtvm_api_server.py b/apps/microtvm/zephyr/template_project/microtvm_api_server.py index 227b0389445a..5cf104edf884 100644 --- a/apps/microtvm/zephyr/template_project/microtvm_api_server.py +++ b/apps/microtvm/zephyr/template_project/microtvm_api_server.py @@ -702,7 +702,26 @@ def generate_project(self, model_library_format_path, standalone_crt_dir, projec # Populate extra_files if extra_files_tar: with tarfile.open(extra_files_tar, mode="r:*") as tf: - tf.extractall(project_dir) + + def is_within_directory(directory, target): + + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + + prefix = os.path.commonprefix([abs_directory, abs_target]) + + return prefix == abs_directory + + def safe_extract(tar, path=".", members=None, *, numeric_owner=False): + + for member in tar.getmembers(): + member_path = os.path.join(path, member.name) + if not is_within_directory(path, member_path): + raise Exception("Attempted Path Traversal in Tar File") + + tar.extractall(path, members, numeric_owner) + + safe_extract(tf, project_dir) def build(self, options): if BUILD_DIR.exists(): From 39ae9a0d573079eed1e13731a14666fb418af549 Mon Sep 17 00:00:00 2001 From: YuchenJin Date: Sat, 28 Jan 2023 12:32:35 -0800 Subject: [PATCH 2/3] Address review comments --- .../arduino/template_project/microtvm_api_server.py | 8 ++++---- .../zephyr/template_project/microtvm_api_server.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/microtvm/arduino/template_project/microtvm_api_server.py b/apps/microtvm/arduino/template_project/microtvm_api_server.py index dbee17feafa5..bc6c8cc8e3a3 100644 --- a/apps/microtvm/arduino/template_project/microtvm_api_server.py +++ b/apps/microtvm/arduino/template_project/microtvm_api_server.py @@ -178,8 +178,9 @@ def _remove_unused_components(self, source_dir, project_type): shutil.rmtree(source_dir / "standalone_crt" / component) def _safe_extract(tar, path=".", members=None, *, numeric_owner=False): - def is_within_directory(directory, target): + def is_within_directory(directory, member): + target = os.path.join(path, member.name) abs_directory = os.path.abspath(directory) abs_target = os.path.abspath(target) @@ -188,9 +189,8 @@ def is_within_directory(directory, target): return prefix == abs_directory for member in tar.getmembers(): - member_path = os.path.join(path, member.name) - if not is_within_directory(path, member_path): - raise Exception("Attempted Path Traversal in Tar File") + if not is_within_directory(path, member): + raise Exception("Attempted Path Traversal in Tar File attack. See CVE-2007-4559.") tar.extractall(path, members, numeric_owner) diff --git a/apps/microtvm/zephyr/template_project/microtvm_api_server.py b/apps/microtvm/zephyr/template_project/microtvm_api_server.py index 5cf104edf884..73df731a84dc 100644 --- a/apps/microtvm/zephyr/template_project/microtvm_api_server.py +++ b/apps/microtvm/zephyr/template_project/microtvm_api_server.py @@ -703,8 +703,9 @@ def generate_project(self, model_library_format_path, standalone_crt_dir, projec if extra_files_tar: with tarfile.open(extra_files_tar, mode="r:*") as tf: - def is_within_directory(directory, target): + def is_within_directory(directory, member, path="."): + target = os.path.join(path, member.name) abs_directory = os.path.abspath(directory) abs_target = os.path.abspath(target) @@ -715,9 +716,8 @@ def is_within_directory(directory, target): def safe_extract(tar, path=".", members=None, *, numeric_owner=False): for member in tar.getmembers(): - member_path = os.path.join(path, member.name) - if not is_within_directory(path, member_path): - raise Exception("Attempted Path Traversal in Tar File") + if not is_within_directory(path, member): + raise Exception("Attempted Path Traversal in Tar File attack. See CVE-2007-4559.") tar.extractall(path, members, numeric_owner) From d6ee8919c63c24f300311c1894cdda5424bb82db Mon Sep 17 00:00:00 2001 From: YuchenJin Date: Mon, 13 Feb 2023 18:28:31 -0800 Subject: [PATCH 3/3] rebase & address comment --- .../arduino/template_project/microtvm_api_server.py | 2 +- .../microtvm/zephyr/template_project/microtvm_api_server.py | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apps/microtvm/arduino/template_project/microtvm_api_server.py b/apps/microtvm/arduino/template_project/microtvm_api_server.py index bc6c8cc8e3a3..218ade70587d 100644 --- a/apps/microtvm/arduino/template_project/microtvm_api_server.py +++ b/apps/microtvm/arduino/template_project/microtvm_api_server.py @@ -180,8 +180,8 @@ def _remove_unused_components(self, source_dir, project_type): def _safe_extract(tar, path=".", members=None, *, numeric_owner=False): def is_within_directory(directory, member): - target = os.path.join(path, member.name) abs_directory = os.path.abspath(directory) + target = os.path.join(directory, member.name) abs_target = os.path.abspath(target) prefix = os.path.commonprefix([abs_directory, abs_target]) diff --git a/apps/microtvm/zephyr/template_project/microtvm_api_server.py b/apps/microtvm/zephyr/template_project/microtvm_api_server.py index 73df731a84dc..a97fb4e033ee 100644 --- a/apps/microtvm/zephyr/template_project/microtvm_api_server.py +++ b/apps/microtvm/zephyr/template_project/microtvm_api_server.py @@ -705,8 +705,8 @@ def generate_project(self, model_library_format_path, standalone_crt_dir, projec def is_within_directory(directory, member, path="."): - target = os.path.join(path, member.name) abs_directory = os.path.abspath(directory) + target = os.path.join(path, member.name) abs_target = os.path.abspath(target) prefix = os.path.commonprefix([abs_directory, abs_target]) @@ -717,7 +717,9 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False): for member in tar.getmembers(): if not is_within_directory(path, member): - raise Exception("Attempted Path Traversal in Tar File attack. See CVE-2007-4559.") + raise Exception( + "Attempted Path Traversal in Tar File attack. See CVE-2007-4559." + ) tar.extractall(path, members, numeric_owner)