Merge pull request #9851 from RasaHQ/tarsafe-on-2.8.x

Swap calls to extractall for TarSafe equivalent - 2.8.x
RasaHQ · Oct 13, 2021 · 0e8ef43 · 0e8ef43
2 parents 6e30256 + d28c2e4
commit 0e8ef43
Show file tree

Hide file tree

Showing 6 changed files with 257 additions and 164 deletions.
diff --git a/changelog/9851.bugfix.md b/changelog/9851.bugfix.md
@@ -0,0 +1 @@
+Fix CVE-2021-41127
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -96,6 +96,7 @@ terminaltables = "~3.1.0"
 sanic = ">=19.12.2,<20.12.0"
 sanic-cors = "^0.10.0b1"
 sanic-jwt = ">=1.3.2,<1.7.0"
+pyjwt = "~2.1.0"
 cloudpickle = ">=1.2,<1.7"
 aiohttp = ">=3.6,<3.8,!=3.7.4.post0"
 questionary = ">=1.5.1,<1.10.0"
@@ -122,6 +123,7 @@ joblib = ">=0.15.1,<1.1.0"
 sentry-sdk = ">=0.17.0,<1.3.0"
 aio-pika = "^6.7.1"
 pyTelegramBotAPI = "^3.7.3"
+tarsafe = "^0.0.3"
 
 [tool.poetry.dev-dependencies]
 pytest-cov = "^2.10.0"

diff --git a/rasa/model.py b/rasa/model.py
@@ -222,13 +222,14 @@ def unpack_model(
 
     """
     import tarfile
+    from tarsafe import TarSafe
 
     if working_directory is None:
         working_directory = tempfile.mkdtemp()
 
     # All files are in a subdirectory.
     try:
-        with tarfile.open(model_file, mode="r:gz") as tar:
+        with TarSafe.open(model_file, mode="r:gz") as tar:
             tar.extractall(working_directory)
             logger.debug(f"Extracted model to '{working_directory}'.")
     except (tarfile.TarError, ValueError) as e:

diff --git a/rasa/nlu/persistor.py b/rasa/nlu/persistor.py
@@ -2,7 +2,7 @@
 import logging
 import os
 import shutil
-import tarfile
+from tarsafe import TarSafe
 from typing import Optional, Text, Tuple, TYPE_CHECKING
 
 import rasa.shared.utils.common
@@ -103,7 +103,7 @@ def _tar_name(model_name: Text, include_extension: bool = True) -> Text:
     @staticmethod
     def _decompress(compressed_path: Text, target_path: Text) -> None:
 
-        with tarfile.open(compressed_path, "r:gz") as tar:
+        with TarSafe.open(compressed_path, "r:gz") as tar:
             tar.extractall(target_path)  # target dir will be created if it not exists
 
 

diff --git a/rasa/utils/io.py b/rasa/utils/io.py
@@ -3,6 +3,7 @@
 import os
 import pickle
 import tarfile
+from tarsafe import TarSafe
 import tempfile
 import warnings
 import zipfile
@@ -87,7 +88,7 @@ def unarchive(byte_array: bytes, directory: Text) -> Text:
     Tries to use tar first to unpack, if that fails, zip will be used."""
 
     try:
-        tar = tarfile.open(fileobj=IOReader(byte_array))
+        tar = TarSafe.open(fileobj=IOReader(byte_array))
         tar.extractall(directory)
         tar.close()
         return directory