girichinna27 opened a new pull request, #4586: URL: https://github.com/apache/cassandra/pull/4586
Hi Maintainers 👋, This Pull Request addresses a Semgrep security finding related to the unsafe extraction of tar archives, which may lead to path traversal vulnerabilities if the archive source is attacker-controlled. 🔍 Issue Details Rule ID: tarfile-extractall-traversal Severity: Medium Rule Message: Possible path traversal through tarfile.open($PATH).extractall() if the source tar is controlled by an attacker. 📍 Affected Location File Path: /tools/scanResult/unzipped-72658404/.build/run-ci Line: 651 ✅ Fix Applied Updated the tar extraction logic to ensure that tar members are validated before extraction, preventing files from being written outside the intended destination directory. This avoids unsafe use of extractall() on potentially untrusted archives. 🎯 Impact This change mitigates the risk of directory traversal attacks by ensuring only safe and expected paths are extracted from tar archives, strengthening the overall security of the extraction process. The issue was identified and remediated using AI-Guardian, a security analysis tool developed by my company OpsMx. Thanks for your time and review 🙏 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
