Quick description
There is an unsafe extraction of a tarfile in the setup_tools.py. A good practice would be to validate that the destination file path is present in the destination directory and that they are valid directories, not doing this may cause files to be overwritten within the destination directory to be overwritten.
In line 63 to 65
with tarfile.open(fileobj=content) as tf:
dirname = tf.getnames()[0].partition('/')[0]
tf.extractall()
I believe a better way would be to use
with tarfile.open(fileobj=content) as tf:
dirname = tf.getnames()[0].partition('/')[0]
tf.extractall(members=get_safe_members_in_tar_file(tf))
In my pull request this function will be found in tar_validation.py
Quick description There is an unsafe extraction of a tarfile in the setup_tools.py. A good practice would be to validate that the destination file path is present in the destination directory and that they are valid directories, not doing this may cause files to be overwritten within the destination directory to be overwritten.
In line 63 to 65
I believe a better way would be to use
In my pull request this function will be found in tar_validation.py