diff --git a/source/ExportUnityPackage/export_unity_package_test.py b/source/ExportUnityPackage/export_unity_package_test.py
index b6a1ca74..a38d9287 100755
--- a/source/ExportUnityPackage/export_unity_package_test.py
+++ b/source/ExportUnityPackage/export_unity_package_test.py
@@ -2685,7 +2685,26 @@ def test_package_write(self):
"7311924048bd457bac6d713576c952da/asset.meta",
"7311924048bd457bac6d713576c952da/pathname"],
unitypackage_file.getnames())
- unitypackage_file.extractall(self.staging_dir)
+ def is_within_directory(directory, target):
+
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+ prefix = os.path.commonprefix([abs_directory, abs_target])
+
+ return prefix == abs_directory
+
+ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+ for member in tar.getmembers():
+ member_path = os.path.join(path, member.name)
+ if not is_within_directory(path, member_path):
+ raise Exception("Attempted Path Traversal in Tar File")
+
+ tar.extractall(path, members, numeric_owner)
+
+
+ safe_extract(unitypackage_file, self.staging_dir)
self.assertTrue(filecmp.cmp(
os.path.join(self.assets_dir, "Firebase/Plugins/Firebase.App.dll"),
os.path.join(self.staging_dir,
@@ -2845,7 +2864,26 @@ def test_package_write_with_includes_and_export(self):
"275bd6b96a28470986154b9a995e191c/asset.meta",
"275bd6b96a28470986154b9a995e191c/pathname"
], unitypackage_file.getnames())
- unitypackage_file.extractall(self.staging_dir)
+ def is_within_directory(directory, target):
+
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+ prefix = os.path.commonprefix([abs_directory, abs_target])
+
+ return prefix == abs_directory
+
+ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+ for member in tar.getmembers():
+ member_path = os.path.join(path, member.name)
+ if not is_within_directory(path, member_path):
+ raise Exception("Attempted Path Traversal in Tar File")
+
+ tar.extractall(path, members, numeric_owner)
+
+
+ safe_extract(unitypackage_file, self.staging_dir)
self.assertTrue(
filecmp.cmp(
os.path.join(self.assets_dir,
@@ -3045,7 +3083,26 @@ def test_package_write_upm(self):
"package/Documentation~",
"package/Documentation~/index.md",
], unitypackage_file.getnames())
- unitypackage_file.extractall(self.staging_dir)
+ def is_within_directory(directory, target):
+
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+ prefix = os.path.commonprefix([abs_directory, abs_target])
+
+ return prefix == abs_directory
+
+ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+ for member in tar.getmembers():
+ member_path = os.path.join(path, member.name)
+ if not is_within_directory(path, member_path):
+ raise Exception("Attempted Path Traversal in Tar File")
+
+ tar.extractall(path, members, numeric_owner)
+
+
+ safe_extract(unitypackage_file, self.staging_dir)
self.assertTrue(
filecmp.cmp(
@@ -3153,7 +3210,26 @@ def test_package_write_upm_documentation_as_file(self):
"package/Documentation~",
"package/Documentation~/index.md",
], upm_package_file.getnames())
- upm_package_file.extractall(self.staging_dir)
+ def is_within_directory(directory, target):
+
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+ prefix = os.path.commonprefix([abs_directory, abs_target])
+
+ return prefix == abs_directory
+
+ def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+ for member in tar.getmembers():
+ member_path = os.path.join(path, member.name)
+ if not is_within_directory(path, member_path):
+ raise Exception("Attempted Path Traversal in Tar File")
+
+ tar.extractall(path, members, numeric_owner)
+
+
+ safe_extract(upm_package_file, self.staging_dir)
self.assertTrue(
filecmp.cmp(