Fix code scanning alert no. 27591: Arbitrary file write during tarfile extraction

justinchuby · github-advanced-security[bot] · web-flow · commit 43b9b850021f · 2025-01-14T10:27:25.000-08:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/onnxruntime/python/tools/tensorrt/perf/setup_scripts/setup_onnx_zoo.py b/onnxruntime/python/tools/tensorrt/perf/setup_scripts/setup_onnx_zoo.py
@@ -18,6 +18,9 @@ def extract_and_get_files(file_name):
     model_folder = file_name.replace(".tar.gz", "") + "/"
     create_model_folder(model_folder)
     with tarfile.open(file_name) as model_tar:
+        for member in model_tar.getmembers():
+            if os.path.isabs(member.name) or ".." in member.name:
+                raise ValueError(f"Illegal tar archive entry: {member.name}")
         model_tar.extractall(model_folder)
         file_list = model_tar.getnames()
         file_list.sort()
