Bandit

tarfile check plugin

Registered by Tim Kelsey on 2015-12-11

It would be useful to report uses of TarFile.extract/extractall. It's insecure to use by default without first checking all members for strange paths. (see https://docs.python.org/2/library/tarfile.html#tarfile.TarFile.extractall )

Unfortunately this is a method and not a function, so there are two ways forwards: either try to guess when extract/extractall calls look like they can be used with TarFile (could be very noisy with false positives), or try to do some minimal type inference (this should be easier with the symbol table caching idea). Fortunately the TarFile usage should be usually trivial / localised in one function.

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: Tim Kelsey

Direction:: Needs approval

Assignee:: None

Definition:: Obsolete

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Completed by: Eric Brown on 2019-04-12

Related branches

Related bugs

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.