Use tarsafe instead of built-in tarfile to extract archives (#89)

* Use tarsafe instead of built-in tarfile to extract archives * Bump down Semgrep version to 0.112.1 See also semgrep/semgrep#6631
DataDog · Nov 29, 2022 · 98af5c8 · 98af5c8
1 parent 14b3858
commit 98af5c8
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 299 deletions.
diff --git a/guarddog/scanners/package_scanner.py b/guarddog/scanners/package_scanner.py
@@ -2,7 +2,7 @@
 import os
 import shutil
 import sys
-import tarfile
+import tarsafe
 import tempfile
 import requests
 
@@ -44,7 +44,7 @@ def scan_local(self, path, rules=None) -> dict:
         if os.path.exists(path):
             if path.endswith('.tar.gz'):
                 with tempfile.TemporaryDirectory() as tmpdirname:
-                    tarfile.open(path).extractall(tmpdirname)
+                    tarsafe.open(path).extractall(tmpdirname)
                     return self.analyzer.analyze_sourcecode(tmpdirname, rules=rules)
             elif os.path.isdir(path):
                 return self.analyzer.analyze_sourcecode(path, rules=rules)

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -12,7 +12,8 @@ guarddog = "guarddog.cli:cli"
 [tool.poetry.dependencies]
 python = ">=3.9, <4"
 docker = "==6.0.0b1"
-semgrep = "==0.122.0"
+# NOTE: Before https://github.com/returntocorp/semgrep/issues/6631 is addressed, we can't seem to upgrade past 0.112.1
+semgrep = "==0.112.1"
 requests = "==2.28.1"
 tqdm = "==4.64.0"
 python-dotenv = "==0.20.0"
@@ -47,6 +48,7 @@ flake8 = "^5.0.4"
 python-whois = "^0.8.0"
 termcolor = "^2.1.0"
 setuptools = "^65.6.3"
+tarsafe = "^0.0.4"
 
 [tool.poetry.dev-dependencies]