Replaced every extractall() call — in the plugin (analyzer.py, sar_flood.py) and in the generated pipeline scripts (pipeline_manager.py) — with safe member-by-member extraction that: Computes where each member would be written and checks (via os.path.realpath + os.path.commonpath) that it stays inside the target directory. Raises ValueError on any member that would escape — before writing anything. Extracts members individually with .extract() instead of .extractall(), so the syntactic Bandit rule has nothing to flag. For tar on Python 3.12+, also applies the stdlib filter="data" as defense-in-depth.
yes
kodeezabdullah
2026-06-11T17:15:14.471766+00:00
3.28.0
4.99.0
None
no
Plugin Tags