[2.2.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract().

Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.

Backport of 05413afa8c18cdb978fcdf470e09f7a12b234a23 from master.

1 files changed, 21 insertions, 0 deletions

diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py
index d58d211ae5..ed7908df82 100644
--- a/tests/utils_tests/test_archive.py
+++ b/tests/utils_tests/test_archive.py
@@ -5,6 +5,8 @@ import sys
 import tempfile
 import unittest
 
+from django.core.exceptions import SuspiciousOperation
+from django.test import SimpleTestCase
 from django.utils.archive import Archive, extract
 
 TEST_DIR = os.path.join(os.path.dirname(__file__), 'archives')
@@ -87,3 +89,22 @@ class TestGzipTar(ArchiveTester, unittest.TestCase):
 
 class TestBzip2Tar(ArchiveTester, unittest.TestCase):
     archive = 'foobar.tar.bz2'
+
+
+class TestArchiveInvalid(SimpleTestCase):
+    def test_extract_function_traversal(self):
+        archives_dir = os.path.join(os.path.dirname(__file__), 'traversal_archives')
+        tests = [
+            ('traversal.tar', '..'),
+            ('traversal_absolute.tar', '/tmp/evil.py'),
+        ]
+        if sys.platform == 'win32':
+            tests += [
+                ('traversal_disk_win.tar', 'd:evil.py'),
+                ('traversal_disk_win.zip', 'd:evil.py'),
+            ]
+        msg = "Archive contains invalid path: '%s'"
+        for entry, invalid_path in tests:
+            with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir:
+                with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path):
+                    extract(os.path.join(archives_dir, entry), tmpdir)