From 349a344762c960093bfe8535e267b93a98bd2274 Mon Sep 17 00:00:00 2001 From: eschalk Date: Tue, 27 Feb 2024 07:58:33 +0100 Subject: [PATCH 1/2] filter data is safe for tarfile extractall --- bandit/plugins/tarfile_unsafe_members.py | 9 +++++++++ examples/tarfile_extractall.py | 14 ++++++++++++++ tests/functional/test_functional.py | 4 ++-- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 32c1e6127..20dded2c0 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -91,6 +91,13 @@ def get_members_value(context): return {"Other": value} +def is_filter_data(context): + for keyword in context.node.keywords: + if keyword.arg == "filter": + arg = keyword.value + return isinstance(arg, ast.Str) and arg.s == "data" + + @test.test_id("B202") @test.checks("Call") def tarfile_unsafe_members(context): @@ -100,6 +107,8 @@ def tarfile_unsafe_members(context): "extractall" in context.call_function_name, ] ): + if "filter" in context.call_keywords and is_filter_data(context): + return None if "members" in context.call_keywords: members = get_members_value(context) if "Function" in members: diff --git a/examples/tarfile_extractall.py b/examples/tarfile_extractall.py index 2af3eb544..b32736afb 100644 --- a/examples/tarfile_extractall.py +++ b/examples/tarfile_extractall.py @@ -15,6 +15,18 @@ def managed_members_archive_handler(filename): tar.close() +def filter_data_archive_handler(filename): + tar = tarfile.open(filename) + tar.extractall(path=tempfile.mkdtemp(), filter="data") + tar.close() + + +def filter_fully_trusted_archive_handler(filename): + tar = tarfile.open(filename) + tar.extractall(path=tempfile.mkdtemp(), filter="fully_trusted") + tar.close() + + def list_members_archive_handler(filename): tar = tarfile.open(filename) tar.extractall(path=tempfile.mkdtemp(), members=[]) @@ -45,3 +57,5 @@ def members_filter(tarfile): filename = sys.argv[1] unsafe_archive_handler(filename) managed_members_archive_handler(filename) + filter_data_archive_handler(filename) + filter_fully_trusted_archive_handler(filename) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index a230dc30b..401c46f5f 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -926,7 +926,7 @@ def test_snmp_security_check(self): def test_tarfile_unsafe_members(self): """Test insecure usage of tarfile.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2}, } self.check_example("tarfile_extractall.py", expect) From 0dfa7ca106b3c21c563dd0bda432ddb84cd3fed1 Mon Sep 17 00:00:00 2001 From: eschalk Date: Tue, 27 Feb 2024 20:55:33 +0100 Subject: [PATCH 2/2] add versionchanged to the docstring --- bandit/plugins/tarfile_unsafe_members.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bandit/plugins/tarfile_unsafe_members.py b/bandit/plugins/tarfile_unsafe_members.py index 20dded2c0..5ad145c1a 100644 --- a/bandit/plugins/tarfile_unsafe_members.py +++ b/bandit/plugins/tarfile_unsafe_members.py @@ -42,6 +42,9 @@ .. versionadded:: 1.7.5 +.. versionchanged:: 1.7.8 + Added check for filter parameter + """ import ast