B202: tarfile_unsafe_members

B202: Test for tarfile.extractall

This plugin will look for usage of tarfile.extractall()

Severity are set as follows:

• tarfile.extractalll(members=function(tarfile)) - LOW

• tarfile.extractalll(members=?) - member is not a function - MEDIUM

• tarfile.extractall() - members from the archive is trusted - HIGH

Use tarfile.extractall(members=function_name) and define a function that will inspect each member. Discard files that contain a directory traversal sequences such as ../ or \.. along with all special filetypes unless you explicitly need them.

Example:

>> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without
any validation. You should check members and discard dangerous ones
Severity: High   Confidence: High
CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
Location: examples/tarfile_extractall.py:8
More Info:
https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html
7       tar = tarfile.open(filename)
8       tar.extractall(path=tempfile.mkdtemp())
9       tar.close()

See also

• https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

• https://docs.python.org/3/library/tarfile.html#tarfile.TarInfo

Added in version 1.7.5.

Changed in version 1.7.8: Added check for filter parameter