{"id":8701,"library":"tarsafe","title":"Tarsafe: Safe Tar File Extraction","description":"Tarsafe is a Python library that provides a safe subclass of the standard library's `tarfile.TarFile` class, primarily addressing a known security vulnerability in the `extractall()` method. It serves as a direct drop-in replacement to safely interact with tar archives. The current version is 0.0.5, and its release cadence appears sporadic, reflecting its nature as a security-focused enhancement.","status":"active","version":"0.0.5","language":"en","source_language":"en","source_url":"https://github.com/beatsbears/tarsafe","tags":["security","tarfile","archive","extraction","safe","vulnerability"],"install":[{"cmd":"pip install tarsafe","lang":"bash","label":"Install with pip"}],"dependencies":[],"imports":[{"symbol":"TarSafe","correct":"from tarsafe import TarSafe"}],"quickstart":{"code":"from tarsafe import TarSafe\n\n# Assuming 'example.tar' exists in the current directory\ntar = TarSafe.open('example.tar', 'r')\n\n# This method is now safe against directory traversal vulnerabilities\ntar.extractall()\n\ntar.close()","lang":"python","description":"Initialize a `TarSafe` object with your tar file and use `extractall()` as a direct, secure replacement for the standard library's method."},"warnings":[{"fix":"Replace `tarfile.open` with `tarsafe.TarSafe.open` and ensure `extractall()` is called on the `TarSafe` object. Python 3.11+ users can also use `tarfile.open(..., filter='data')`.","message":"The standard library's `tarfile.extractall()` method (prior to Python 3.11 with `filter` argument) is vulnerable to directory traversal attacks, allowing malicious tar files to write files outside the intended extraction directory. Tarsafe was created to mitigate this vulnerability by default.","severity":"breaking","affected_versions":"Python's `tarfile` module, especially versions prior to 3.11 without the `filter='data'` argument."},{"fix":"Ensure your tar archives are correctly formed and do not rely on implicit directory traversal for file placement. Review the contents of untrusted archives before extraction.","message":"Tarsafe's `extractall()` method actively prevents directory traversal. While this is its intended security feature, it means that archives designed to exploit this vulnerability will have their malicious components blocked, potentially leading to 'missing' files if you expected the vulnerable behavior.","severity":"gotcha","affected_versions":"All versions of tarsafe"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Replace `from tarfile import open` with `from tarsafe import TarSafe as open` or explicitly use `tarsafe.TarSafe.open()` for secure extraction.","cause":"Using the standard library's `tarfile.extractall()` method without proper sanitization or the `filter` argument (Python 3.11+).","error":"Arbitrary file write vulnerability when extracting tar files"},{"fix":"Run `pip install tarsafe` to install the library.","cause":"The 'tarsafe' library has not been installed in your Python environment.","error":"ModuleNotFoundError: No module named 'tarsafe'"},{"fix":"Inspect the paths within your tar archive. Ensure all paths are relative to the archive's root and do not contain `..` or absolute path indicators. Re-create archives with clean paths if necessary.","cause":"While `tarsafe` prevents malicious extractions, it strictly enforces path safety. If your 'trusted' archives inadvertently contain paths that could be interpreted as directory traversal attempts (e.g., `../`, absolute paths), `tarsafe` will block them.","error":"Tar extraction fails with unexpected file path errors for trusted archives after switching to tarsafe."}]}