Improve path traversal security vulnerability (#6138)

Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
2023-11-04 22:25:49 +01:00 · 2023-11-04 22:25:49 +01:00 · 168e536fae
commit 168e536fae
parent c0e707a03a
5 changed files with 41 additions and 15 deletions
--- a/ultralytics/utils/checks.py
+++ b/ultralytics/utils/checks.py
@ -463,6 +463,23 @@ def check_yaml(file, suffix=('.yaml', '.yml'), hard=True):
    return check_file(file, suffix, hard=hard)


+def check_is_path_safe(basedir, path):
+    """
+    Check if the resolved path is under the intended directory to prevent path traversal.
+
+    Args:
+        basedir (Path | str): The intended directory.
+        path (Path | str): The path to check.
+
+    Returns:
+        (bool): True if the path is safe, False otherwise.
+    """
+    base_dir_resolved = Path(basedir).resolve()
+    path_resolved = Path(path).resolve()
+
+    return path_resolved.is_file() and path_resolved.parts[:len(base_dir_resolved.parts)] == base_dir_resolved.parts
+
+
 def check_imshow(warn=False):
    """Check if environment supports image displays."""
    try:
--- a/ultralytics/utils/downloads.py
+++ b/ultralytics/utils/downloads.py
@ -159,7 +159,11 @@ def unzip_file(file, path=None, exclude=('.DS_Store', '__MACOSX'), exist_ok=Fals
            return path

        for f in TQDM(files, desc=f'Unzipping {file} to {Path(path).resolve()}...', unit='file', disable=not progress):
-            zipObj.extract(f, path=extract_path)
+            # Ensure the file is within the extract_path to avoid path traversal security vulnerability
+            if '..' in Path(f).parts:
+                LOGGER.warning(f'Potentially insecure file path: {f}, skipping extraction.')
+                continue
+            zipObj.extract(f, extract_path)

    return path  # return unzip dir