[Security] tarfile.extractall without member validation in build/fbcode_builder/getdeps/fetcher.py

**Severity**: HIGH (Bandit B202)
**File**: `build/fbcode_builder/getdeps/fetcher.py`

## Vulnerability

`tarfile.extractall()` without member validation allows path traversal (zip slip). A malicious archive can write files outside the target directory.

## Fix

```python
import os

SAFE_ID = __import__("re").compile(r"^[a-zA-Z0-9_.-]+$")

def _is_within_directory(directory, target):
    abs_directory = os.path.realpath(directory)
    abs_target = os.path.realpath(target)
    return abs_target.startswith(abs_directory + os.sep) or abs_target == abs_directory

def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
    for member in tar.getmembers():
        member_path = os.path.join(path, member.name)
        if not _is_within_directory(path, member_path):
            raise Exception(f"Path traversal in tar: {member.name}")
    tar.extractall(path, members, numeric_owner=numeric_owner)
```

## References
- CWE-22: Path Traversal
- Bandit B202
- [OWASP: Zip Slip](https://owasp.org/www-community/attacks/Zip_Slip)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] tarfile.extractall without member validation in build/fbcode_builder/getdeps/fetcher.py #430

Vulnerability

Fix

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[Security] tarfile.extractall without member validation in build/fbcode_builder/getdeps/fetcher.py #430

Description

Vulnerability

Fix

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions