PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.51k stars 612 forks source link

filter data is safe for tarfile extractall #1111

Closed etienneschalk closed 9 months ago

etienneschalk commented 9 months ago

Related to issue #1038

Currently the following line: tarfile.extractall(path=some_path, filter="data") raises an error. See comment https://github.com/PyCQA/bandit/issues/1038#issuecomment-1956512283

However, this should be safe according to comment https://github.com/PyCQA/bandit/issues/1038#issuecomment-1834110126

This PR does not attempt to fix issue #1038, but starts by making the line aforementioned legal. If filter="data" is detected, the rule is early exited.

cc @mattiasb

Closes: #1025

etienneschalk commented 9 months ago

Hello, thanks for your review! I removed the diff noise from formatting and rebased / squashed the commits.

To test locally I used

bandit tests/functional/test_functional.py