Python: Add more tarslip examples

2026-04-30 19:26:02 +02:00 · 2020-02-20 13:17:11 +01:00
parent c94582a1c0
commit 2d637e1cf7
1 changed files with 16 additions and 0 deletions
--- a/python/ql/test/query-tests/Security/CWE-022/tarslip.py
+++ b/python/ql/test/query-tests/Security/CWE-022/tarslip.py
@@ -50,3 +50,19 @@ def safemembers(members):

 tar = tarfile.open(unsafe_filename_tar)
 tar.extractall(members=safemembers(tar))
+
+
+# Wrong sanitizer (is missing not)
+tar = tarfile.open(unsafe_filename_tar)
+for entry in tar:
+    if os.path.isabs(entry.name) or ".." in entry.name:
+        tar.extract(entry, "/tmp/unpack/") # TODO: FN
+
+
+# OK Sanitized using not
+tar = tarfile.open(unsafe_filename_tar)
+for entry in tar:
+    # using `if not (os.path.isabs(entry.name) or ".." in entry.name):`
+    # would make the sanitizer work, but for the wrong reasons since out library is a bit broken.
+    if not os.path.isabs(entry.name):
+        tar.extract(entry, "/tmp/unpack/")