juergbi commented on PR #1810: URL: https://github.com/apache/buildstream/pull/1810#issuecomment-2225655800
While the use of `extractall()` in `tests/frontend/buildcheckout.py` is indeed not a security concern as the tarball is generated as part of the test, reviewing the `tar` source plugin code I've noticed that we don't check for absolute paths in the relatively uncommon case where `base-dir` is an empty string. I've opened https://github.com/apache/buildstream/pull/1932 to address that. That PR also adds a comment and an extraction filter on Python 3.12 for the test case. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@buildstream.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
