From e62a9fbd9ae519d35341dd2e972b43fb1f00b7c7 Mon Sep 17 00:00:00 2001 From: layday Date: Tue, 13 Jun 2023 12:46:09 +0200 Subject: [PATCH] filter out malicious files when extracting tar archives --- src/build/__main__.py | 5 +++-- src/build/util.py | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/build/__main__.py b/src/build/__main__.py index 2d65720..914e0d6 100644 --- a/src/build/__main__.py +++ b/src/build/__main__.py @@ -9,7 +9,6 @@ import platform import shutil import subprocess import sys -import tarfile import tempfile import textwrap import traceback @@ -228,6 +227,8 @@ def build_package_via_sdist( :param isolation: Isolate the build in a separate environment :param skip_dependency_check: Do not perform the dependency check """ + from .util import TarFile + if 'sdist' in distributions: raise ValueError('Only binary distributions are allowed but sdist was specified') @@ -238,7 +239,7 @@ def build_package_via_sdist( sdist_out = tempfile.mkdtemp(prefix='build-via-sdist-') built: list[str] = [] # extract sdist - with tarfile.open(sdist) as t: + with TarFile.open(sdist) as t: t.extractall(sdist_out) try: builder = _ProjectBuilder(os.path.join(sdist_out, sdist_name[: -len('.tar.gz')])) diff --git a/src/build/util.py b/src/build/util.py index 90c0028..7597667 100644 --- a/src/build/util.py +++ b/src/build/util.py @@ -5,7 +5,9 @@ from __future__ import annotations import os import pathlib import sys +import tarfile import tempfile +import typing import pyproject_hooks @@ -56,6 +58,20 @@ def project_wheel_metadata( return _project_wheel_metadata(builder) +if typing.TYPE_CHECKING: + TarFile = tarfile.TarFile + +else: + # Per https://peps.python.org/pep-0706/, the "data" filter will become + # the default in Python 3.14. + if sys.version_info < (3, 14) and hasattr(tarfile, 'data_filter'): + + class TarFile(tarfile.TarFile): + extraction_filter = staticmethod(tarfile.data_filter) + + else: + TarFile = tarfile.TarFile + __all__ = [ 'project_wheel_metadata', ] -- 2.40.1