>/iYSrSSKrSSKrSSKJr SSKJr S SjrSrSr \R"S5\R"S 5S 55r g) a ================================= B202: Test for tarfile.extractall ================================= This plugin will look for usage of ``tarfile.extractall()`` Severity are set as follows: * ``tarfile.extractall(members=function(tarfile))`` - LOW * ``tarfile.extractall(members=?)`` - member is not a function - MEDIUM * ``tarfile.extractall()`` - members from the archive is trusted - HIGH Use ``tarfile.extractall(members=function_name)`` and define a function that will inspect each member. Discard files that contain a directory traversal sequences such as ``../`` or ``\..`` along with all special filetypes unless you explicitly need them. :Example: .. code-block:: none >> Issue: [B202:tarfile_unsafe_members] tarfile.extractall used without any validation. You should check members and discard dangerous ones Severity: High Confidence: High CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html) Location: examples/tarfile_extractall.py:8 More Info: https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html 7 tar = tarfile.open(filename) 8 tar.extractall(path=tempfile.mkdtemp()) 9 tar.close() .. seealso:: - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall - https://docs.python.org/3/library/tarfile.html#tarfile.TarInfo .. versionadded:: 1.7.5 .. versionchanged:: 1.7.8 Added check for filter parameter N)issue)test_propertiesc HU[R:XaX[R"[R[R[RR SR US9S9$U[R:XaX[R"[R[R[RR SR US9S9$[R"[R[R[RR SS9$)NzUsage of tarfile.extractall(members=function(tarfile)). Make sure your function properly discards dangerous members {members}).)members)severity confidencecwetextzFound tarfile.extractall(members=?) but couldn't identify the type of members. Check if the members were properly validated {members}).z[tarfile.extractall used without any validation. Please check and discard dangerous members.) banditLOWIssuerCwePATH_TRAVERSALformatMEDIUMHIGH)levelrs _/home/james-whalen/.local/lib/python3.13/site-packages/bandit/plugins/tarfile_unsafe_members.py exec_issuer8s  ||ZZzz (( &&1    &-- ||]]}} ((!&&1  ||[[{{ ((:   cNURRHnURS:XdMURn[ U[ R 5(aSURR0s $[ U[ R5(a UROUnSU0s $ g)NrFunctionOther) nodekeywordsargvalue isinstanceastCallfuncidName)contextkeywordrrs rget_members_valuer&Vsu<<(( ;;) #--C#sxx(("CHHKK00",S#((";";'')rcURRHQnURS:XdMURn[ U[ R 5=(a URS:Hs $ g)Nfilterdata)rrrrrrConstant)r$r%rs ris_filter_datar+asJ<<(( ;;( "--Cc3<<0HSYY&5H H)rB202r c~[URS5SUR;/5(aSUR;a[ U5(agSUR;aE[ U5nSU;a[ [RU5$[ [RU5$[ [R5$g)Ntarfile extractallr(rr) allis_module_imported_exactcall_function_name call_keywordsr+r&rr r rr)r$rs rtarfile_unsafe_membersr4hs  , ,Y 7 G66 6  w,, ,1H1H -- -'0GW$!&**g66!&--99&++&&r)) __doc__rr bandit.corerrtestrr&r+test_idchecksr4rrr<sW,Z / <(IfV''r