[python] TarSlip vulnerability improvements

[Sim4n6]

Query PR

github/codeql#10851 (closed in favor of the next one)
github/codeql#10887

Language

Python

CVE(s) ID list

• https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11/
• https://huntr.dev/bounties/309725a2-bfc9-4ef3-a4c1-360a9f6b890b/
  more to come.

CWE

CWE-022

Report

1. TarSlip vulnerability.
2. _Extracting files from a malicious tarball without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten, due to the possible presence of directory traversal elements (..) in archive path names.
3. I have added more sources and sinks than I checked the combination use of both.
4. Yes, I've checked the query against valid samples extracted from https://cs.github.com. I ethically reported them using https://huntr.dev (more to become public soon).
5. This is my first contribution, and I would love to provide more.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

https://www.getrevue.co/profile/sim4n6

#710 (comment)

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[Sim4n6]

Re-adapted the PR into this one: github/codeql#10887

[Sim4n6]

PR merged github/codeql#10887 💯

[Sim4n6]

Any update related to this issue, please? 🙃

[JarLob]

Hi @Sim4n6,
Sorry that it takes so long. As I see it is very close to resolution. Unfortunately GitHub Universe 2022 may delay the final step for few days more. I'll ping people and maybe it will be resolved sooner.

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Hello @Sim4n6
Can you please provide a public email address, or send me privately a private one?
Thanks

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[Sim4n6]

Sim4n6@gmail.com

[xcorail]

Created Hackerone report 1775224 for bounty 438181 : [710] [python] TarSlip vulnerability improvements