def traversal_via_tarfile_extractall(context):
call_node = context.node
if not isinstance(call_node.func, ast.Attribute):
return
if not isinstance(call_node.func.value, ast.Name):
return
name = s_utils.get_attribute_name(call_node.func)
if not (name and name.endswith('.extractall')):
return
if not s_utils.method_could_be_class(call_node, context, ('tarfile.open',)):
return
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text='Use of tarfile.extractall() can result in files being written to arbitrary locations on the file system.'
)
评论列表
文章目录