B202: detect tarfile extractall imported via a from-import#1442
Open
arpitjain099 wants to merge 2 commits into
Open
B202: detect tarfile extractall imported via a from-import#1442arpitjain099 wants to merge 2 commits into
arpitjain099 wants to merge 2 commits into
Conversation
B202 (tarfile_unsafe_members) gated on is_module_imported_exact("tarfile"),
so a from-import like `from tarfile import TarFile` followed by
`TarFile(p).extractall(out)` was not flagged - a false negative on a real
path-traversal sink (the import registers as `tarfile.TarFile`, which the
exact match misses). Switch to is_module_imported_like("tarfile"), matching
how most plugins resolve imports.
Verified it still skips safe cases (filter="data", and unrelated
zipfile.ZipFile().extractall()). Added a from-import example + functional test.
Fixes PyCQA#1171.
Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
for more information, see https://pre-commit.ci
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1171.
B202 (
tarfile_unsafe_members) only fired when the file had a bareimport tarfile. If you instead write:nothing was reported - a false negative on a genuine path-traversal sink (CWE-22). The cause is the guard:
from tarfile import TarFileregisters the import astarfile.TarFile, sois_module_imported_exact("tarfile")is False and the check is skipped.The fix swaps that for
is_module_imported_like("tarfile"), which is how most plugins resolve imports.I checked it doesn't widen into false positives:
extractallwithfilter="data"stays clean, and an unrelatedzipfile.ZipFile(...).extractall()stays clean (the substring "tarfile" isn't in "zipfile.ZipFile"). Added a from-import example and a functional test for it; the full functional suite still passes.