Tarsafe: Safe Tar File Extraction

0.0.5 · active · verified Thu Apr 16

Tarsafe is a Python library that provides a safe subclass of the standard library's `tarfile.TarFile` class, primarily addressing a known security vulnerability in the `extractall()` method. It serves as a direct drop-in replacement to safely interact with tar archives. The current version is 0.0.5, and its release cadence appears sporadic, reflecting its nature as a security-focused enhancement.

Common errors

```
Arbitrary file write vulnerability when extracting tar files
```
cause Using the standard library's `tarfile.extractall()` method without proper sanitization or the `filter` argument (Python 3.11+).

fix Replace `from tarfile import open` with `from tarsafe import TarSafe as open` or explicitly use `tarsafe.TarSafe.open()` for secure extraction.
```
ModuleNotFoundError: No module named 'tarsafe'
```
cause The 'tarsafe' library has not been installed in your Python environment.

fix Run `pip install tarsafe` to install the library.
```
Tar extraction fails with unexpected file path errors for trusted archives after switching to tarsafe.
```
cause While `tarsafe` prevents malicious extractions, it strictly enforces path safety. If your 'trusted' archives inadvertently contain paths that could be interpreted as directory traversal attempts (e.g., `../`, absolute paths), `tarsafe` will block them.

fix Inspect the paths within your tar archive. Ensure all paths are relative to the archive's root and do not contain `..` or absolute path indicators. Re-create archives with clean paths if necessary.

Warnings

breaking The standard library's `tarfile.extractall()` method (prior to Python 3.11 with `filter` argument) is vulnerable to directory traversal attacks, allowing malicious tar files to write files outside the intended extraction directory. Tarsafe was created to mitigate this vulnerability by default.
Fix: Replace `tarfile.open` with `tarsafe.TarSafe.open` and ensure `extractall()` is called on the `TarSafe` object. Python 3.11+ users can also use `tarfile.open(..., filter='data')`.
gotcha Tarsafe's `extractall()` method actively prevents directory traversal. While this is its intended security feature, it means that archives designed to exploit this vulnerability will have their malicious components blocked, potentially leading to 'missing' files if you expected the vulnerable behavior.
Fix: Ensure your tar archives are correctly formed and do not rely on implicit directory traversal for file placement. Review the contents of untrusted archives before extraction.

Install

pip install tarsafe Install with pip

Imports

TarSafe
```
from tarsafe import TarSafe
```

Quickstart

Initialize a `TarSafe` object with your tar file and use `extractall()` as a direct, secure replacement for the standard library's method.

from tarsafe import TarSafe

# Assuming 'example.tar' exists in the current directory
tar = TarSafe.open('example.tar', 'r')

# This method is now safe against directory traversal vulnerabilities
tar.extractall()

tar.close()

view raw JSON →