Fix path traversal risk in tarfile extractall usage #4586
+10
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…l-traversal-651-SssAVArU43 fix: semgrep-tarfile-extractall-traversal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi Maintainers 👋,
This Pull Request addresses a Semgrep security finding related to the unsafe extraction of tar archives, which may lead to path traversal vulnerabilities if the archive source is attacker-controlled.
🔍 Issue Details
Rule ID: tarfile-extractall-traversal
Severity: Medium
Rule Message:
Possible path traversal through tarfile.open($PATH).extractall() if the source tar is controlled by an attacker.
📍 Affected Location
File Path:
/tools/scanResult/unzipped-72658404/.build/run-ci
Line: 651
✅ Fix Applied
Updated the tar extraction logic to ensure that tar members are validated before extraction, preventing files from being written outside the intended destination directory.
This avoids unsafe use of extractall() on potentially untrusted archives.
🎯 Impact
This change mitigates the risk of directory traversal attacks by ensuring only safe and expected paths are extracted from tar archives, strengthening the overall security of the extraction process.
The issue was identified and remediated using AI-Guardian, a security analysis tool developed by my company OpsMx.
Thanks for your time and review 🙏