Describe the bug
B202 is intended to detect unsafe tar extraction patterns (CWE-22), but the current implementation only checks for extractall calls and misses unsafe extract usage.
Reproduction steps
cat > /tmp/repro_b202_extract_fn.py <<'PY'
import tarfile
import tempfile
from pathlib import Path
def unsafe_archive_handler(filename):
target_dir = Path(tempfile.mkdtemp())
tar = tarfile.open(filename)
for member in tar.getmembers():
# Vulnerable: no validation of member.name/linkname
tar.extract(member, path=target_dir)
tar.close()
PY
bandit -r /tmp/repro_b202_extract_fn.py -t B202Expected behavior
B202 should also detect an unsafe tarfile.extract() usage, not only extractall().
Bandit version
1.9.1 (Default)
Python version
3.14 (Default)
Additional context
No response
Describe the bug
B202is intended to detect unsafe tar extraction patterns (CWE-22), but the current implementation only checks forextractallcalls and misses unsafeextractusage.Reproduction steps
Expected behavior
B202 should also detect an unsafe tarfile.extract() usage, not only extractall().
Bandit version
1.9.1 (Default)
Python version
3.14 (Default)
Additional context
No response