Skip to content

Commit

Permalink
filter data is safe for tarfile extractall (#1111)
Browse files Browse the repository at this point in the history
* filter data is safe for tarfile extractall

* add versionchanged to the docstring
  • Loading branch information
etienneschalk authored Feb 27, 2024
1 parent e041e12 commit c8d5f77
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 2 deletions.
12 changes: 12 additions & 0 deletions bandit/plugins/tarfile_unsafe_members.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@
.. versionadded:: 1.7.5
.. versionchanged:: 1.7.8
Added check for filter parameter
"""
import ast

Expand Down Expand Up @@ -91,6 +94,13 @@ def get_members_value(context):
return {"Other": value}


def is_filter_data(context):
for keyword in context.node.keywords:
if keyword.arg == "filter":
arg = keyword.value
return isinstance(arg, ast.Str) and arg.s == "data"


@test.test_id("B202")
@test.checks("Call")
def tarfile_unsafe_members(context):
Expand All @@ -100,6 +110,8 @@ def tarfile_unsafe_members(context):
"extractall" in context.call_function_name,
]
):
if "filter" in context.call_keywords and is_filter_data(context):
return None
if "members" in context.call_keywords:
members = get_members_value(context)
if "Function" in members:
Expand Down
14 changes: 14 additions & 0 deletions examples/tarfile_extractall.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,18 @@ def managed_members_archive_handler(filename):
tar.close()


def filter_data_archive_handler(filename):
tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), filter="data")
tar.close()


def filter_fully_trusted_archive_handler(filename):
tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), filter="fully_trusted")
tar.close()


def list_members_archive_handler(filename):
tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), members=[])
Expand Down Expand Up @@ -45,3 +57,5 @@ def members_filter(tarfile):
filename = sys.argv[1]
unsafe_archive_handler(filename)
managed_members_archive_handler(filename)
filter_data_archive_handler(filename)
filter_fully_trusted_archive_handler(filename)
4 changes: 2 additions & 2 deletions tests/functional/test_functional.py
Original file line number Diff line number Diff line change
Expand Up @@ -926,7 +926,7 @@ def test_snmp_security_check(self):
def test_tarfile_unsafe_members(self):
"""Test insecure usage of tarfile."""
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 1},
"SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2},
}
self.check_example("tarfile_extractall.py", expect)

0 comments on commit c8d5f77

Please sign in to comment.