B202: tarfile_unsafe_members

B202: Test for tarfile.extractall

This plugin will look for usage of tarfile.extractall()

Severity are set as follows:

  • tarfile.extractalll(members=function(tarfile)) - LOW

  • tarfile.extractalll(members=?) - member is not a function - MEDIUM

  • tarfile.extractall() - members from the archive is trusted - HIGH

Use tarfile.extractall(members=function_name) and define a function that will inspect each member. Discard files that contain a directory traversal sequences such as ../ or \.. along with all special filetypes unless you explicitly need them.


>> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without
any validation. You should check members and discard dangerous ones
Severity: High   Confidence: High
CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
Location: examples/tarfile_extractall.py:8
More Info:
7       tar = tarfile.open(filename)
8       tar.extractall(path=tempfile.mkdtemp())
9       tar.close()

New in version 1.7.5.

Changed in version 1.7.8: Added check for filter parameter