This linter searches for use of the extract or extractall methods
on TarFile objects. Use of these functions allows for arbitrary file
overwrites.
import tarfile
def func():
tf = tarfile.TarFile()
tf.extract()
tf.extractall()To ensure secure usage you must inspect the tarfile prior to extracting it
From the Python documentation:
Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with
"/"or filenames with two dots"..".
- Extracting tarfiles from trusted sources