raise error when the uploaded tar contain hard/soft link (binary-husk…

…y#2136)
Ericxisuo · Feb 8, 2025 · 07ece29 · 07ece29
1 parent 991a903
commit 07ece29
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/shared_utils/handle_upload.py b/shared_utils/handle_upload.py
@@ -111,6 +111,8 @@ def extract_archive(file_path, dest_dir):
                     member_path = os.path.normpath(member.name)
                     full_path = os.path.join(dest_dir, member_path)
                     full_path = os.path.abspath(full_path)
+                    if member.islnk() or member.issym():
+                        raise Exception(f"Attempted Symlink in {member.name}")
                     if not full_path.startswith(os.path.abspath(dest_dir) + os.sep):
                         raise Exception(f"Attempted Path Traversal in {member.name}")