From f77ab27bc96118de6150f39bac636d024d2b51a4 Mon Sep 17 00:00:00 2001
From: iluem <57590186+Qhaoduoyu@users.noreply.github.com>
Date: Sun, 14 Apr 2024 21:33:37 +0800
Subject: [PATCH] Merge pull request from GHSA-rh7j-jfvq-857j

Prevent path traversal for improved security
---
 shared_utils/handle_upload.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/shared_utils/handle_upload.py b/shared_utils/handle_upload.py
index ec0bcd9..ddab884 100644
--- a/shared_utils/handle_upload.py
+++ b/shared_utils/handle_upload.py
@@ -104,7 +104,15 @@ def extract_archive(file_path, dest_dir):
 
     elif file_extension in [".tar", ".gz", ".bz2"]:
         with tarfile.open(file_path, "r:*") as tarobj:
-            tarobj.extractall(path=dest_dir)
+            for member in tarobj.getmembers():
+            # 清理提取路径，移除任何不安全的元素
+                member_path = os.path.normpath(member.name)
+                full_path = os.path.join(dest_dir, member_path)
+                full_path = os.path.abspath(full_path)
+                if not full_path.startswith(os.path.abspath(dest_dir) + os.sep):
+                    raise Exception(f"Attempted Path Traversal in {member.name}")
+
+                tarobj.extract(member, path=dest_dir)
             print("Successfully extracted tar archive to {}".format(dest_dir))
 
     # 第三方库，需要预先pip install rarfile