andrewmusselman opened a new issue, #722:
URL: https://github.com/apache/tooling-trusted-releases/issues/722
**ASVS Requirement:** 5.3.2
**Description:**
Archive member names from tar/zip files are used with insufficient traversal
sanitization in the check task modules. For example, in
`atr/tasks/checks/targz.py`:
```python
member_name = member.name.lstrip("./") # INSUFFICIENT — lstrip doesn't
prevent ../
```
This is distinct from the archive *extraction* code in `atr/archives.py`,
which correctly uses `_safe_path()`.
**Affected locations:**
- `atr/tasks/checks/license.py`
- `atr/tasks/checks/targz.py`
- `atr/tasks/checks/zipformat.py`
**CWE:** CWE-22 (Path Traversal)
**Recommended remediation:**
Replace `lstrip("./")` with proper normalization and validation:
```python
normalized = os.path.normpath(member_name)
if normalized.startswith('..') or normalized.startswith('/'):
# reject or skip member
```
Also add unit tests `_safe_path`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
