From bd908ccc71863413172423938c6a6f2b1cda9b57 Mon Sep 17 00:00:00 2001 From: dewhush Date: Mon, 8 Jun 2026 03:24:22 -1100 Subject: [PATCH] fix: harden path_traversal vulnerability in bitaps-com_pybtc Addressed unsafe code patterns found during security review: - path_traversal** Tested locally, no regressions observed. --- setup_tools.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/setup_tools.py b/setup_tools.py index baf8fe6b..c1fbf494 100644 --- a/setup_tools.py +++ b/setup_tools.py @@ -61,6 +61,12 @@ def download_library(command): content = BytesIO(r.read()) content.seek(0) with tarfile.open(fileobj=content) as tf: + # Prevent Tar Slip (Path Traversal) + base_path = os.path.realpath(os.getcwd()) + for member in tf.getmembers(): + member_path = os.path.realpath(os.path.join(base_path, member.name)) + if not member_path.startswith(base_path + os.sep) and member_path != base_path: + raise Exception('Attempted Path Traversal in Tar File') dirname = tf.getnames()[0].partition('/')[0] tf.extractall() shutil.move(dirname, libdir) @@ -149,4 +155,4 @@ def detect_dll(): for fn in os.listdir(os.path.join(here, 'libsecp256k1')): if fn.endswith('.dll'): return True - return False \ No newline at end of file + return False