fix: add absolute tarfile test, windows workaround

Signed-off-by: Terri Oda <[email protected]>
terriko · Feb 22, 2024 · 326adf6 · 326adf6
1 parent 34784dc
commit 326adf6
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/cve_bin_tool/extractor.py b/cve_bin_tool/extractor.py
@@ -100,10 +100,18 @@ async def extract_file_tar(self, filename, extraction_path):
                 tar.extractall(path=extraction_path, filter="data")  # nosec
                 # nosec line because bandit doesn't understand filters yet
 
-            # FIXME: the backported fix is not working on windows.
-            # this leaves the current (unsafe) behaviour so we can fix at least one OS for now
             elif sys.platform == "win32":
-                tar.extractall(path=extraction_path)  # nosec
+                # backported path filter (below) doesn't work on windwos for some reason,
+                # use external tar if available
+                if await aio_inpath("tar"):
+                    return aio_run_command(
+                        ["tar", "-C", extraction_path, "-axf", filename]
+                    )
+                else:
+                    # Fail and suggest upgrade to python 3.12
+                    self.logger.error(
+                        f"Unable to extract {filename} safely, please upgrade to python 3.12"
+                    )
 
             # Some versions may need us to implement a filter to avoid unsafe behaviour
             # we could consider logging a warning here
@@ -112,6 +120,7 @@ async def extract_file_tar(self, filename, extraction_path):
                     path=extraction_path,
                     members=self.tar_member_filter(tar, extraction_path),
                 )  # nosec
+
             tar.close()
         return e.exit_code
 

diff --git a/test/assets/tarfile_abs_test.tar b/test/assets/tarfile_abs_test.tar
diff --git a/test/test_extractor.py b/test/test_extractor.py
@@ -111,6 +111,18 @@ async def test_extract_file_tar(self, extension_list: list[str]):
         ):
             assert Path(dir_path).is_dir()
 
+    @pytest.mark.asyncio
+    async def test_extract_file_tar_absolute(self):
+        """Test against a tarfile with absolute file names.
+        It should not extract to /tmp/cve-bin-tool_tarfile_test.txt"""
+
+        abs_tar_test = (
+            Path(__file__).parent.resolve() / "assets" / "tarfile_abs_test.tar"
+        )
+        self.extract_files(abs_tar_test)
+        assert not Path("/tmp/cve-bin-tool_tarfile_abs_test.txt").is_file()  # nosec
+        # Bandit note: intentional hard-coded value for this test of absolute file extraction
+
     @pytest.mark.asyncio
     async def test_extract_cleanup(self):
         """Make sure tar extractor cleans up after itself"""