This linter searches for use of the extract
or extractall
methods
on TarFile
objects. Use of these functions allows for arbitrary file
overwrites.
import tarfile
def func():
tf = tarfile.TarFile()
tf.extract()
tf.extractall()
To ensure secure usage you must inspect the tarfile prior to extracting it
From the Python documentation:
Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with
"/"
or filenames with two dots".."
.
- Extracting tarfiles from trusted sources