From 2dedc26f2b9c116a134f5e61a53d91aad6831993 Mon Sep 17 00:00:00 2001
From: TrellixVulnTeam <charles.mcfarland@trellix.com>
Date: Wed, 2 Nov 2022 23:20:04 +0000
Subject: [PATCH] Adding tarfile member sanitization to extractall()

---
 alphafold2/colabfold.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/alphafold2/colabfold.py b/alphafold2/colabfold.py
index a116d2a..f2eed0c 100644
--- a/alphafold2/colabfold.py
+++ b/alphafold2/colabfold.py
@@ -165,7 +165,26 @@ def download(ID, path):
   # extract a3m files
   if not os.path.isfile(a3m_files[0]):
     with tarfile.open(tar_gz_file) as tar_gz:
-      tar_gz.extractall(path)  
+      def is_within_directory(directory, target):
+          
+          abs_directory = os.path.abspath(directory)
+          abs_target = os.path.abspath(target)
+      
+          prefix = os.path.commonprefix([abs_directory, abs_target])
+          
+          return prefix == abs_directory
+      
+      def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+      
+          for member in tar.getmembers():
+              member_path = os.path.join(path, member.name)
+              if not is_within_directory(path, member_path):
+                  raise Exception("Attempted Path Traversal in Tar File")
+      
+          tar.extractall(path, members, numeric_owner=numeric_owner) 
+          
+      
+      safe_extract(tar_gz, path)
 
   # templates
   if use_templates: