make sure nothing in the cmake tar file expands upwards beyond the do…

…wnload root directory (charlesnicholson#229)
Okarss · Oct 24, 2022 · bd2ed78 · bd2ed78
1 parent de89d6e
commit bd2ed78
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/build.py b/build.py
@@ -87,6 +87,10 @@ def get_cmake(download, verbose):
                 cmake_local_tgz,
                 verbose)
         with tarfile.open(cmake_local_tgz, 'r') as tar:
+            for member in tar.getmembers():
+                member_path = pathlib.Path(cmake_local_dir / member.name).resolve()
+                if not cmake_local_dir in member_path.parents:
+                    raise ValueError('Tar file contents move upwards past sandbox root')
             tar.extractall(path=cmake_local_dir)
 
     return cmake_local_exe