Skip to content

fix: Improve Path Boundary Validation in SafeTarExtractor#1580

Open
sarv-tech wants to merge 1 commit into
steam-bell-92:mainfrom
sarv-tech:fix-path-traversal
Open

fix: Improve Path Boundary Validation in SafeTarExtractor#1580
sarv-tech wants to merge 1 commit into
steam-bell-92:mainfrom
sarv-tech:fix-path-traversal

Conversation

@sarv-tech

Copy link
Copy Markdown

📖 Description

This Pull Request strengthens the directory boundary validation mechanisms within SafeTarExtractor (security/tar_safe.py) to prevent path traversal attempts.

The Problem:
Previously, the _validate_member function relied on string prefix comparisons (target_str.startswith(extract_str)) to verify that an extracted file remains inside the intended destination directory. This approach is vulnerable to "Partial Path Traversal" bypasses. Because it evaluates raw strings without enforcing directory separators, an attacker can extract files to a sibling directory that shares the same prefix (e.g., if the destination is /tmp/extracted, a payload pointing to ../extracted_evil/file.txt successfully bypasses the validation).

The Solution:
This PR replaces the flawed prefix-based string validation with os.path.commonpath(). The new implementation evaluates the resolved paths structurally, guaranteeing that the extracted file strictly resides within the parent hierarchy of the target directory.

🛠️ Implementation Details

  • Replaced str.startswith() with os.path.commonpath() in both the primary .resolve() block and the .absolute() fallback block.
  • Cross-Platform Safety: Added explicit ValueError handling for os.path.commonpath(). On Windows, this error is raised if paths reside on different drives (which fundamentally constitutes a traversal escape). This is safely caught and mapped to an UnsafeTarError.
  • Zero API Breakage: The class initialization, extract method signatures, and exception types remain perfectly intact.

🔄 Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Security patch (fixes a vulnerability or strengthens security controls)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

🧪 How Has This Been Tested?

Comprehensive regression tests were added and executed successfully against the updated code.

New Tests Added in tests/test_security.py:

  • test_sibling_directory_traversal: Verifies that payloads targeting sibling directories sharing a common prefix (../extracted_evil/evil.txt) are successfully rejected.
  • test_absolute_path_traversal: Verifies that absolute path payloads (/tmp/evil_absolute.txt) are strictly blocked.
  • test_nested_valid_directories: Verifies that standard deep-nested directories continue to extract correctly without false positives.

Execution Results:

  • pytest tests/ -v completes flawlessly (59/59 tests passing, 0 skips, 0 failures).
  • Existing workflows for parent traversals, file size limits, and max file limits continue to pass natively.

✅ Checklist

  • My code follows the style guidelines and conventions of this project.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • Any dependent changes have been merged and published in downstream modules.

fix #1578

Copilot AI review requested due to automatic review settings July 10, 2026 11:36
@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the Anuj's projects Team on Vercel.

A member of the Team first needs to authorize it.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@sarv-tech

Copy link
Copy Markdown
Author

@steam-bell-92 I've created PR review approve and add labels as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Partial Path Traversal Vulnerability in SafeTarExtractor

2 participants