asf-tooling opened a new issue, #997:
URL: https://github.com/apache/tooling-trusted-releases/issues/997
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The `extract_member()` method uses `tar_filter='fully_trusted'` as its
default parameter value. Python's PEP 706 and official documentation explicitly
identify this filter as insecure. The `fully_trusted` filter allows absolute
paths, path traversal sequences (`../`), device nodes, symlinks pointing
outside extraction directory, and setuid/setgid bits. While mitigating controls
exist (pre-extraction validation, quarantine workflow), the insecure default
violates the principle of secure defaults.
### Details
Affected location: `atr/tarzip.py` lines 130-154
ASVS 1.5.2 states: "Deserialization mechanisms that are explicitly defined
as insecure must not be used with untrusted input." The `fully_trusted` filter
is explicitly documented as insecure by Python.
Mitigating controls:
- Pre-extraction validation in `check_archive_safety()`
- Quarantine workflow with `SecurityConfig`
However, the insecure default creates risk if these controls are bypassed or
misconfigured.
### Recommended Remediation
Change the default `tar_filter` parameter from `'fully_trusted'` to `'data'`
which is the secure default per PEP 706:
```python
def extract_member(
self,
member: tarfile.TarInfo,
path: str,
tar_filter: str = 'data', # Changed from 'fully_trusted'
) -> int:
```
Update the docstring to:
- Document the security implications of each filter option
- Explicitly state that `fully_trusted` should only be used for verified
trusted archives
- Add test cases to verify path traversal sequences are sanitized, absolute
paths are converted to relative, and external symlinks are blocked or made safe
### Acceptance Criteria
- [ ] Default tar_filter is changed to 'data'
- [ ] Docstring documents security implications
- [ ] Test cases verify secure extraction behavior
- [ ] Path traversal and absolute paths are blocked by default
### References
- Source reports: L2:1.5.2.md
- Related findings: None
- ASVS sections: 1.5.2
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
