From 5828105c2f53c8da55b6a33ccc880f79c64d68f1 Mon Sep 17 00:00:00 2001
From: FugoP <264910004+AgentGymLeader@users.noreply.github.com>
Date: Sun, 14 Jun 2026 14:44:18 +0900
Subject: [PATCH] Use extract_path (not CWD) as tar-extraction containment base

The pre-3.12 fallback in custom_extractall_tarfile filtered members with
_get_safe_members, which resolved its containment base from the current
working directory (_get_resolved_path("")) instead of the extraction
target. A crafted model/code tarball could therefore write outside the
intended extract_path; the post-extraction validator only walks
extract_path and cannot see escapes. Pass extract_path into
_get_safe_members so members are validated against the extraction target,
matching _validate_extracted_paths and the _repack_model.py sibling.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 sagemaker-core/src/sagemaker/core/common_utils.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sagemaker-core/src/sagemaker/core/common_utils.py b/sagemaker-core/src/sagemaker/core/common_utils.py
index 8a8134f5ea..f2f9ae99f9 100644
--- a/sagemaker-core/src/sagemaker/core/common_utils.py
+++ b/sagemaker-core/src/sagemaker/core/common_utils.py
@@ -1767,7 +1767,7 @@ def _is_bad_link(info, base):
     return _is_bad_path(info.linkname, base=tip)
 
 
-def _get_safe_members(members):
+def _get_safe_members(members, base_path):
     """A generator that yields members that are safe to extract.
 
     It filters out bad paths and bad links.
@@ -1778,7 +1778,7 @@ def _get_safe_members(members):
     Yields:
         tarfile.TarInfo: The tar file info.
     """
-    base = _get_resolved_path("")
+    base = _get_resolved_path(base_path)
 
     for file_info in members:
         if _is_bad_path(file_info.name, base):
@@ -1842,7 +1842,7 @@ def custom_extractall_tarfile(tar, extract_path):
     if hasattr(tarfile, "data_filter"):
         tar.extractall(path=extract_path, filter="data")
     else:
-        tar.extractall(path=extract_path, members=_get_safe_members(tar))
+        tar.extractall(path=extract_path, members=_get_safe_members(tar, extract_path))
         # Re-validate extracted paths to catch symlink race conditions
         _validate_extracted_paths(extract_path)