diff --git a/download_from_google_storage.py b/download_from_google_storage.py index f484f4f51c..234f8d692e 100755 --- a/download_from_google_storage.py +++ b/download_from_google_storage.py @@ -209,7 +209,9 @@ def _validate_tar_file(tar, prefix): """Returns false if the tarinfo is something we explicitly forbid.""" if tarinfo.issym() or tarinfo.islnk(): return False - if '..' in tarinfo.name or not tarinfo.name.startswith(prefix): + if ('../' in tarinfo.name or + '..\\' in tarinfo.name or + not tarinfo.name.startswith(prefix)): return False return True return all(map(_validate, tar.getmembers())) diff --git a/tests/download_from_google_storage_unittest.py b/tests/download_from_google_storage_unittest.py index c03c911d30..6fa0c238cc 100755 --- a/tests/download_from_google_storage_unittest.py +++ b/tests/download_from_google_storage_unittest.py @@ -128,7 +128,7 @@ class GstoolsUnitTests(unittest.TestCase): self.assertFalse( download_from_google_storage._validate_tar_file(tar, tar_dir_outside)) - # Test no .. + # Test no ../ tar_with_dotdot = 'with_dotdot.tar.gz' dotdot_file = os.path.join(tar_dir, '..', tar_dir, 'lorem_ipsum.txt') with tarfile.open(tar_with_dotdot, 'w:gz') as tar: @@ -136,6 +136,15 @@ class GstoolsUnitTests(unittest.TestCase): self.assertFalse( download_from_google_storage._validate_tar_file(tar, tar_dir)) + # Test normal file with .. in name okay + tar_with_hidden = 'with_normal_dotdot.tar.gz' + hidden_file = os.path.join(tar_dir, '..hidden_file.txt') + shutil.copyfile(lorem_ipsum, hidden_file) + with tarfile.open(tar_with_hidden, 'w:gz') as tar: + tar.add(hidden_file) + self.assertTrue( + download_from_google_storage._validate_tar_file(tar, + tar_dir)) def test_gsutil(self): # This will download a real gsutil package from Google Storage.