(security) Fix tar slip in micropackaging

[ankatiyar]

Description

Fix #3473

While we had already addressed the vulnerability with #2180, this helps snyk not flag it. You can test it by setting up snyk locally and running snyk code test
Also removed extractall from tests and replaced with safe_extract.

Before

After

bandit still flags this so I haven't removed the # no sec B202

Checklist

• Read the contributing guidelines
• Signed off each commit with a Developer Certificate of Origin (DCO)
• Opened this PR as a 'Draft Pull Request' if it is work-in-progress
• Updated the documentation to reflect the code changes
• Added a description of this change in the RELEASE.md file
• Added tests to cover my changes
• Checked if this change will affect Kedro-Viz, and if so, communicated that with the Viz team

[astrojuanlu]

bandit still flags this so I haven't removed the # no sec B202

What's the bandit error message exactly?

[ankatiyar]

bandit still flags this so I haven't removed the # no sec B202

What's the bandit error message exactly?

@astrojuanlu It flags the same issue, actually, but brings down the severity from high to medium -

>> Issue: [B202:tarfile_unsafe_members] Found tarfile.extractall(members=?) but couldn't identify the type of members. Check if the members were properly validated {'Other': 'safe_members'}).
   Severity: Medium   Confidence: Medium
   CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b202_tarfile_unsafe_members.html
   Location: /Users/ankita_katiyar/kedro/kedro/kedro/framework/cli/micropkg.py:400:4
399             safe_members.append(member)
400         tar.extractall(path, members=safe_members)

[merelcht]

Great work! ⭐ I'd suggest adding it to the release notes as well to make it visible we take security seriously in Kedro.

It's a shame bandit still flags it.. hopefully they fix it soon.