From e2ae0f8630c9e2a424cb6fac7d176cf84d8f3fc3 Mon Sep 17 00:00:00 2001
From: Louis Abel <label@rockylinux.org>
Date: Tue, 13 Aug 2024 22:24:41 -0700
Subject: [PATCH] CVE fix for 'safe extract' tar is covered by filter

---
 iso/empanadas/empanadas/util/shared.py | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/iso/empanadas/empanadas/util/shared.py b/iso/empanadas/empanadas/util/shared.py
index f0520ea..987139d 100644
--- a/iso/empanadas/empanadas/util/shared.py
+++ b/iso/empanadas/empanadas/util/shared.py
@@ -1214,6 +1214,8 @@ class Shared:
     def tar_is_within_directory(directory, target):
         """
         CVE-2007-4559
+
+        Function is obsolete. Will be removed in a future version.
         """
         abs_directory = os.path.abspath(directory)
         abs_target = os.path.abspath(target)
@@ -1223,19 +1225,14 @@ class Shared:
     @staticmethod
     def tar_safe_extractall(tar,
             path=".",
-            members=None,
             *,
             numeric_owner=False
         ):
         """
-        CVE-2007-4559
+        CVE-2007-4559 is addressed by setting filter='tar'. This function will
+        remain here to reduce changes to utilities.
         """
-        for member in tar.getmembers():
-            member_path = os.path.join(path, member.name)
-            if not Shared.tar_is_within_directory(path, member_path):
-                raise Exception("Path traversal attempted in tar file")
-
-        tar.extractall(path=path, members=members, numeric_owner=numeric_owner)
+        tar.extractall(path=path, numeric_owner=numeric_owner, filter='tar')
 
     @staticmethod
     def dnf_sync(repo, sync_root, work_root, arch, logger):