Created tarball contains . dir making a tarbomb

[Glutexo]

The tarball created by Insights client contains a ./ entry at its beginning. This has an unexpected implication: When extracted using sudo, permission of the current folder are overwritten by “extracting” the ./ entry. This is an unpleasant tarbomb, especially when run directly in a home folder.

Steps to reproduce:

$ insight-client --no-upload
Starting to collect Insights data for my_machine
Archive saved at /var/tmp/EhnJNj/my_machine-20180719131146.tar.gz

$ sudo tar -tf /var/tmp/EhnJNj/my_machine-20180719131146.tar.gz
./
./my_machine-20180719131146/

$ mkdir archive

$ ls -l
[…]
drwxrwxr-x.  2 stomsa stomsa        6 Jul 19 13:13 archive
[…]

$ cd archive

$ sudo tar -xzf /var/tmp/EhnJNj/my_machine.tar.gz

$ ls -l ..
ls: cannot access ..: Permission denied

$ sudo ls -l ..
[…]
drwx------.  3 root   root         93 Jul 19 13:11 archive
[…]

Compare with a manually created tarball. See that the ./ entry is missing and that other paths do not begin with ./. Current folder’s permission don’t get overwritten, even when the tarball is created and extracted with sudo:

$ sudo tar -czf my_machine-20180719131146.tar.gz my_machine-20180719131146

$ sudo tar -tf my_machine-20180719131146.tar.gz
my_machine-20180719131146/
[…]

$ sudo rm -rf my_machine-20180719131146

$ sudo chown stomsa:stomsa .

$ sudo tar -xzf my_machine-20180719131146.tar.gz

$ sudo ls -l ..
drwx------.  3 stomsa stomsa      187 Jul 19 13:46 archive

My guess is that the bad stuff happens somewhere around here https://github.com/RedHatInsights/insights-core/blob/3c3fb5a0ade8839a0217db014c450a8226c2f76d/insights/client/archive.py#L122.

[Glutexo]

Still not fixed.