Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filter data is safe for tarfile extractall #1111

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions bandit/plugins/tarfile_unsafe_members.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@

.. versionadded:: 1.7.5

.. versionchanged:: 1.7.8
Added check for filter parameter

"""
import ast

Expand Down Expand Up @@ -91,6 +94,13 @@ def get_members_value(context):
return {"Other": value}


def is_filter_data(context):
for keyword in context.node.keywords:
if keyword.arg == "filter":
arg = keyword.value
return isinstance(arg, ast.Str) and arg.s == "data"


@test.test_id("B202")
@test.checks("Call")
def tarfile_unsafe_members(context):
Expand All @@ -100,6 +110,8 @@ def tarfile_unsafe_members(context):
"extractall" in context.call_function_name,
]
):
if "filter" in context.call_keywords and is_filter_data(context):
return None
if "members" in context.call_keywords:
members = get_members_value(context)
if "Function" in members:
Expand Down
14 changes: 14 additions & 0 deletions examples/tarfile_extractall.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,18 @@ def managed_members_archive_handler(filename):
tar.close()


def filter_data_archive_handler(filename):
tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), filter="data")
tar.close()


def filter_fully_trusted_archive_handler(filename):
tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), filter="fully_trusted")
tar.close()


def list_members_archive_handler(filename):
tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), members=[])
Expand Down Expand Up @@ -45,3 +57,5 @@ def members_filter(tarfile):
filename = sys.argv[1]
unsafe_archive_handler(filename)
managed_members_archive_handler(filename)
filter_data_archive_handler(filename)
filter_fully_trusted_archive_handler(filename)
4 changes: 2 additions & 2 deletions tests/functional/test_functional.py
Original file line number Diff line number Diff line change
Expand Up @@ -926,7 +926,7 @@ def test_snmp_security_check(self):
def test_tarfile_unsafe_members(self):
"""Test insecure usage of tarfile."""
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1},
"SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2},
}
self.check_example("tarfile_extractall.py", expect)