pydistcheck icon indicating copy to clipboard operation
pydistcheck copied to clipboard

Published 20 hours ago verified publisher icon jameslamb

[new check] archives with dangerous paths

Open jameslamb opened this issue 1 year ago • 0 comments

What should be checked?

pydistcheck should complain about any of the following in archive paths:

  • begins with ./
  • begins with ../
  • contains a ..
  • begins with /
  • contains a : (e.g. Windows absolute paths like C:/Users/James/Documents)

What should the name of this check be?

dangerous-paths

Will this check introduce any additional configuration?

yes

Details on additional configuration required.

No response

Distribution type

  • [X] source (e.g. .tar.gz)
  • [X] built (e.g. .whl)

Notes

See:

  • https://peps.python.org/pep-0706/
  • https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
  • https://github.com/python/cpython/issues/45385
  • https://bugs.python.org/issue21109
  • https://mort.coffee/home/tar/
  • https://unix.stackexchange.com/a/276962/550004

jameslamb avatar Feb 04 '24 05:02 jameslamb