From d581acac97ad7ee0ca288cc3762348893f5aa9dd Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <kasimir.schulz@trellix.com>
Date: Sat, 1 Oct 2022 23:28:14 +0000
Subject: [PATCH 1/2] Adding tarfile member sanitization to extractall()

---
 .../notebooks/load_data.py                    | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/studio/flight-delay-analysis/notebooks/load_data.py b/studio/flight-delay-analysis/notebooks/load_data.py
index aab753d..1922d02 100644
--- a/studio/flight-delay-analysis/notebooks/load_data.py
+++ b/studio/flight-delay-analysis/notebooks/load_data.py
@@ -44,7 +44,26 @@ def download_from_public_url(url):
         if r.headers['content-type'] in ['application/x-tar', 'application/x-gzip']:
             print('Extracting downloaded file in directory "{}" ...'.format(data_dir))
             with tarfile.open(downloaded_data_file, 'r') as tar:
-                tar.extractall(data_dir)
+                def is_within_directory(directory, target):
+                    
+                    abs_directory = os.path.abspath(directory)
+                    abs_target = os.path.abspath(target)
+                
+                    prefix = os.path.commonprefix([abs_directory, abs_target])
+                    
+                    return prefix == abs_directory
+                
+                def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+                
+                    for member in tar.getmembers():
+                        member_path = os.path.join(path, member.name)
+                        if not is_within_directory(path, member_path):
+                            raise Exception("Attempted Path Traversal in Tar File")
+                
+                    tar.extractall(path, members, numeric_owner) 
+                    
+                
+                safe_extract(tar, data_dir)
             print('Removing downloaded file ...')
             downloaded_data_file.unlink()
 

From 02d1ee4718c88a2925c91e8b041ee45a56524e85 Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Tue, 4 Oct 2022 07:53:38 +0000
Subject: [PATCH 2/2] Adding numeric_owner as keyword arguement

---
 studio/flight-delay-analysis/notebooks/load_data.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/studio/flight-delay-analysis/notebooks/load_data.py b/studio/flight-delay-analysis/notebooks/load_data.py
index 1922d02..d07ef8b 100644
--- a/studio/flight-delay-analysis/notebooks/load_data.py
+++ b/studio/flight-delay-analysis/notebooks/load_data.py
@@ -60,7 +60,7 @@ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
                         if not is_within_directory(path, member_path):
                             raise Exception("Attempted Path Traversal in Tar File")
                 
-                    tar.extractall(path, members, numeric_owner) 
+                    tar.extractall(path, members, numeric_owner=numeric_owner) 
                     
                 
                 safe_extract(tar, data_dir)