CVE-2007-4559 Patch

[TrellixVulnTeam]

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

[openedx-webhooks]

Thanks for the pull request, @TrellixVulnTeam! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

• supporting documentation
• Open edX discussion forum threads
• timeline information ("this must be merged by XX date", and why that is)
• partner information ("this is a course on edx.org")
• any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

:warning: We can't start reviewing your pull request until you've submitted a signed contributor agreement or indicated your institutional affiliation. Please see the CONTRIBUTING file for more information. If you've signed an agreement in the past, you may need to re-sign. See The New Home of the Open edX Codebase for details.

Once you've signed the CLA, please allow 1 business day for it to be processed. After this time, you can re-run the CLA check by editing the PR title. If the problem persists, you can tag the @openedx/cla-problems team in a comment on your PR for further assistance.

[mphilbrick211]

Hi @TrellixVulnTeam! Thanks again for your submission. Are you planning to pursue this PR? If so, you'll need to complete a CLA agreement as mentioned above.

[e0d]

@feanil next steps?

[feanil]

I'm not sure if this fix is relevant here. The analytics pipeline extract files created in other steps in the pipeline which won't have any .. or / paths. It doesn't hurt to add this change but we currently have no maintainer so who should be reviewing this change? I don't think it's an urgent or critical fix given how this code is currently being used.

[mphilbrick211]

Thanks, @feanil and @e0d. Ok to close?

[mphilbrick211]

@feanil just checking back in on this :)

[openedx-webhooks]

@TrellixVulnTeam Even though your pull request wasn’t merged, please take a moment to answer a two question survey so we can improve your experience in the future.