Investigate potential issue reported by bandit #694
Assignees
Comments
|
One simple fix starting with Python 3.12 would be to use the extraction filter "data". This will be the default in Python 3.14. The question is whether we need to make it configurable or not. Do we have legitimate use case of a different extraction filter? See https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter |
|
I have a testcase which reproduces the issue. Working on a fix. |
adacore-bot
pushed a commit
that referenced
this issue
Oct 24, 2024
As reported by `bandit` B202 handler, the `tarfile.extractall()` method is not safe with some file paths. We previously ignored this handler, and decided to handle things in the `e3.archive` module now. The `tarfile.data_filter()` is now used when it exists, and a fallback handling absolute paths and traversal paths has been created. Ref: #694
|
Issue should be fixed by the commit mentioned above: 31ee075 |
|
We had to revert the commit because of a bug in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See https://bandit.readthedocs.io/en/1.7.8/plugins/b202_tarfile_unsafe_members.html
The text was updated successfully, but these errors were encountered: