Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: check paths in an archive file before extracting #366

Merged
merged 1 commit into from
Jul 17, 2023

Conversation

behnazh-w
Copy link
Member

@behnazh-w behnazh-w commented Jul 14, 2023

The paths in an archive file are checked for path traversal patterns before extraction. Also, Bandit v1.7.5 is producing false positives for request timeout arguments, which have been suppressed.

These issues were raised after updating pre-commit tools.

Note that I still need to suppress B202:tarfile_unsafe_members because Bandit has a bug for this check.

The paths in an archive file are checked for path traversal patterns before extraction. Also, Bandit v1.7.5 is producing false positives for request timeout arguments, which have been suppressed.

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w requested a review from tromai as a code owner July 14, 2023 06:10
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 14, 2023
@behnazh-w behnazh-w merged commit 74c9637 into staging Jul 17, 2023
@behnazh-w behnazh-w deleted the fix-bandit-issues branch July 17, 2023 01:14
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
The paths in an archive file are checked for path traversal patterns before extraction. Also, Bandit v1.7.5 is producing false positives for request timeout arguments, which have been suppressed.

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants