Skip to content

Detect unsafe tarfile extract calls#1457

Open
0xTaoZ wants to merge 1 commit into
PyCQA:mainfrom
0xTaoZ:agent/detect-tarfile-extract
Open

Detect unsafe tarfile extract calls#1457
0xTaoZ wants to merge 1 commit into
PyCQA:mainfrom
0xTaoZ:agent/detect-tarfile-extract

Conversation

@0xTaoZ

@0xTaoZ 0xTaoZ commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • detect unsafe tarfile.extract() calls in B202 in addition to extractall()
  • keep existing extractall(members=...) and filter="data" behavior intact
  • add a functional regression case for per-member extraction

Root cause

B202 only matched call names containing extractall, so an unsafe TarFile.extract(member, path=...) call was skipped even though it trusts archive member paths and can expose the same CWE-22 path traversal risk.

Validation

  • python -m unittest tests.functional.test_functional -k tarfile
  • python -m unittest tests.functional.test_functional
  • python -m flake8 bandit/plugins/tarfile_unsafe_members.py tests/functional/test_functional.py examples/tarfile_extractall.py
  • python -m bandit -q -r examples/tarfile_extractall.py -t B202 -f json

Resolves #1392

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

False negative: B202 unsafe tarfile.extract() not detected

1 participant