enzbang
commented
2 months ago One simple fix starting with Python 3.12 would be to use the extraction filter "data". This will be the default in Python 3.14.
The question is whether we need to make it configurable or not. Do we have legitimate use case of a different extraction filter?
See https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
See https://bandit.readthedocs.io/en/1.7.8/plugins/b202_tarfile_unsafe_members.html