CVE-2007-4559 Patch

composer/utils/checkpoint.py

@@ -274,7 +274,26 @@ def download_checkpoint(
             if extracted_checkpoint_folder is not None:
                 try:
                     with tarfile.open(rank_zero_checkpoint_filepath) as tarball:
-                        tarball.extractall(extracted_checkpoint_folder)
+                        def is_within_directory(directory, target):
+
+                            abs_directory = os.path.abspath(directory)
+                            abs_target = os.path.abspath(target)
+
+                            prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                            return prefix == abs_directory
+
+                        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                            for member in tar.getmembers():
+                                member_path = os.path.join(path, member.name)
+                                if not is_within_directory(path, member_path):
+                                    raise Exception("Attempted Path Traversal in Tar File")
+
+                            tar.extractall(path, members, numeric_owner) 
+
+
+                        safe_extract(tarball, extracted_checkpoint_folder)
                 except FileNotFoundError:
                     # Not re-raising the file-not-found error as that is irrelevant;
                     # the underlying issue is that the checkpoint file does not exist on the disk
@@ -300,7 +319,26 @@ def download_checkpoint(
                 try:
                     # it's an archive and needs to be extracted
                     with tarfile.open(rank_n_checkpoint_filepath) as tarball:
-                        tarball.extractall(extracted_checkpoint_folder)
+                        def is_within_directory(directory, target):
+
+                            abs_directory = os.path.abspath(directory)
+                            abs_target = os.path.abspath(target)
+
+                            prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                            return prefix == abs_directory
+
+                        def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                            for member in tar.getmembers():
+                                member_path = os.path.join(path, member.name)
+                                if not is_within_directory(path, member_path):
+                                    raise Exception("Attempted Path Traversal in Tar File")
+
+                            tar.extractall(path, members, numeric_owner) 
+
+
+                        safe_extract(tarball, extracted_checkpoint_folder)
                         extracted_rank_n = True
                 except FileNotFoundError:
                     # this will happen most of the time (i.e. whenever deepspeed