Merge pull request #1325 from Bidaya0/fix/bandit-tarfile-temp-fix

fix/bandit-tarfile-temp-fix
HXSecurity · Mar 13, 2023 · c7b65c8 · c7b65c8
2 parents 280e48a + 438be06
commit c7b65c8
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/.github/workflows/teststate.yml b/.github/workflows/teststate.yml
@@ -8,7 +8,7 @@ on:
       - '*'
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main]
+    branches: [main, develop]
   schedule:
     - cron: '0 0 * * *'
 

diff --git a/dongtai_protocol/views/agent_download.py b/dongtai_protocol/views/agent_download.py
@@ -123,7 +123,9 @@ def create_config(self, base_url, agent_token, auth_token, project_name, **kwarg
                 shutil.copyfile(self.original_agent_file, f"{user_file}.bak")
 
             agent_file = tarfile.open(user_file)
-            agent_file.extractall(path=self.target_path)
+            agent_file.extractall(
+                path=self.target_path, members=lambda memberz: memberz
+            )  # trust upstream package until upstream provide file list to validate.
             names = agent_file.getnames()
             self.target_source_path = f"{self.target_path}/{names[0]}"
             config_path = ""
@@ -192,7 +194,9 @@ def create_config(self, base_url, agent_token, auth_token, project_name, **kwarg
                 shutil.copyfile(self.original_agent_file, f"{user_file}.bak")
 
             agent_file = tarfile.open(user_file)
-            agent_file.extractall(path=self.target_path)
+            agent_file.extractall(
+                path=self.target_path, members=lambda memberz: memberz
+            )  # trust upstream package until upstream provide file list to validate.
             agent_file.close()
 
             config_lines = []
@@ -280,7 +284,9 @@ def is_tar_file(file):
         tmp_path = f"/tmp/.dongtai_agent_test/{time.time_ns()}"
         try:
             agent_file = tarfile.open(file)
-            agent_file.extractall(path=tmp_path)
+            agent_file.extractall(
+                path=tmp_path, members=lambda memberz: memberz
+            )  # trust upstream package until upstream provide file list to validate.
         except tarfile.ReadError:
             return False
         except Exception as e: