)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"915c82a0c684a3171b5143f5f4c5806210687e86","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Test for unsafe files in tarfile.extractall"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Closes-Bug: #1990432"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Change-Id: I650fcbc8f773fad8116338f6fb0cf7b4f4f17b33"},{"line_number":12,"context_line":"(cherry picked from commit 3d008b7f5ec2a54d004e8e9370f303ef9dc7858b)"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"87eba039_b41bed52","line":9,"updated":"2023-04-12 17:32:51.000000000","message":"is this a typo?\n\nhttps://launchpad.net/bugs/1990432\n\ngives me \" This page does not exist, or you may not have permission to see it.\"\n\nif this closes an yet undisclosed security bug I would vouch to open up this bugreport now, because the fix is effectively public now.","commit_id":"b65c68e37ed662b5a75ca7860a7db0b121683557"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"1da14850eaa382d7786d50eece448c0c8a161f80","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Test for unsafe files in tarfile.extractall"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Closes-Bug: #1990432"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Change-Id: I650fcbc8f773fad8116338f6fb0cf7b4f4f17b33"},{"line_number":12,"context_line":"(cherry picked from commit 3d008b7f5ec2a54d004e8e9370f303ef9dc7858b)"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"34376451_388eeab3","line":9,"in_reply_to":"87eba039_b41bed52","updated":"2023-04-12 18:40:07.000000000","message":"this patchset is a cherry-pick from the master pushed months ago, so maybe bug was removed.","commit_id":"b65c68e37ed662b5a75ca7860a7db0b121683557"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d54125016bb4da29392465f049a3767d2bacdb07","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"383994fa_d991fa4e","updated":"2023-04-12 16:28:50.000000000","message":"recheck (fresh results)","commit_id":"1ab0becb2be61e3bfaf46351bbeeb61106b2beb0"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"1317e9de51ff17e9d7f74467507be4d212fb4d4f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"dabfafb7_2f98c4bd","updated":"2023-04-13 06:43:25.000000000","message":"Let\u0027s merge this, some backports are pending on this.","commit_id":"9b350df4b3188183914f96b44b633fab3ad9afa3"}],"kolla/image/build.py":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"915c82a0c684a3171b5143f5f4c5806210687e86","unresolved":true,"context_lines":[{"line_number":493,"context_line":"        def _test_malicious_tarball(archive, path):"},{"line_number":494,"context_line":"            tar_file \u003d tarfile.open(archive, \u0027r|gz\u0027)"},{"line_number":495,"context_line":"            for n in tar_file.getnames():"},{"line_number":496,"context_line":"                if not os.path.abspath(os.path.join(path, n)).startswith(path):"},{"line_number":497,"context_line":"                    tar_file.close()"},{"line_number":498,"context_line":"                    self.logger.error(f\u0027Unsafe filenames in archive {archive}\u0027)"},{"line_number":499,"context_line":"                    raise ArchivingError"}],"source_content_type":"text/x-python","patch_set":4,"id":"f84edb43_f28a3f70","line":496,"range":{"start_line":496,"start_character":31,"end_line":496,"end_character":38},"updated":"2023-04-12 17:32:51.000000000","message":"depending on the vulnerability details - which are not disclosed yet, see my other comment - it might not be sufficient to check with abspath, you might also want to take a look at os.path.realpath and this talk about symlink vulns:\n\n\n\nhttps://lwn.net/Articles/899543/\n\nthe slides are here: https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Allison-Symlinks_considered_harmful.pdf\n\nrealpath docs are here:\n\nhttps://docs.python.org/3/library/os.path.html#os.path.realpath\n\nHTH","commit_id":"b65c68e37ed662b5a75ca7860a7db0b121683557"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"1da14850eaa382d7786d50eece448c0c8a161f80","unresolved":false,"context_lines":[{"line_number":493,"context_line":"        def _test_malicious_tarball(archive, path):"},{"line_number":494,"context_line":"            tar_file \u003d tarfile.open(archive, \u0027r|gz\u0027)"},{"line_number":495,"context_line":"            for n in tar_file.getnames():"},{"line_number":496,"context_line":"                if not os.path.abspath(os.path.join(path, n)).startswith(path):"},{"line_number":497,"context_line":"                    tar_file.close()"},{"line_number":498,"context_line":"                    self.logger.error(f\u0027Unsafe filenames in archive {archive}\u0027)"},{"line_number":499,"context_line":"                    raise ArchivingError"}],"source_content_type":"text/x-python","patch_set":4,"id":"aa552569_f66a14dd","line":496,"range":{"start_line":496,"start_character":31,"end_line":496,"end_character":38},"in_reply_to":"f84edb43_f28a3f70","updated":"2023-04-12 18:40:07.000000000","message":"feel free to fix this in the master branch.","commit_id":"b65c68e37ed662b5a75ca7860a7db0b121683557"}],"kolla/tests/test_build.py":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4b016479d2c13612a5bc18a4ecca852cfe453c02","unresolved":false,"context_lines":[{"line_number":304,"context_line":"    @mock.patch.dict(os.environ, clear\u003dTrue)"},{"line_number":305,"context_line":"    @mock.patch(\u0027docker.APIClient\u0027)"},{"line_number":306,"context_line":"    def test_malicious_tar(self, mock_client):"},{"line_number":307,"context_line":"        self.conf.set_override(\u0027install_type\u0027, \u0027source\u0027)"},{"line_number":308,"context_line":"        tmpdir \u003d tempfile.mkdtemp()"},{"line_number":309,"context_line":"        file_name \u003d \u0027test.txt\u0027"},{"line_number":310,"context_line":"        archive_name \u003d \u0027my_archive.tar.gz\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"639c178e_32c3dedb","line":307,"range":{"start_line":307,"start_character":0,"end_line":307,"end_character":56},"updated":"2023-04-12 20:16:36.000000000","message":"Fixed tox job. This test is for source install type only.","commit_id":"9b350df4b3188183914f96b44b633fab3ad9afa3"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"1317e9de51ff17e9d7f74467507be4d212fb4d4f","unresolved":false,"context_lines":[{"line_number":304,"context_line":"    @mock.patch.dict(os.environ, clear\u003dTrue)"},{"line_number":305,"context_line":"    @mock.patch(\u0027docker.APIClient\u0027)"},{"line_number":306,"context_line":"    def test_malicious_tar(self, mock_client):"},{"line_number":307,"context_line":"        self.conf.set_override(\u0027install_type\u0027, \u0027source\u0027)"},{"line_number":308,"context_line":"        tmpdir \u003d tempfile.mkdtemp()"},{"line_number":309,"context_line":"        file_name \u003d \u0027test.txt\u0027"},{"line_number":310,"context_line":"        archive_name \u003d \u0027my_archive.tar.gz\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"5e18c972_528e7f3e","line":307,"range":{"start_line":307,"start_character":0,"end_line":307,"end_character":56},"in_reply_to":"639c178e_32c3dedb","updated":"2023-04-13 06:43:25.000000000","message":"Thanks","commit_id":"9b350df4b3188183914f96b44b633fab3ad9afa3"}]}