Skip to content

Commit

Permalink
Use tarsafe instead of built-in tarfile to extract archives (#89)
Browse files Browse the repository at this point in the history
* Use tarsafe instead of built-in tarfile to extract archives

* Bump down Semgrep version to 0.112.1

See also semgrep/semgrep#6631
  • Loading branch information
christophetd authored Nov 29, 2022
1 parent 14b3858 commit 98af5c8
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 299 deletions.
4 changes: 2 additions & 2 deletions guarddog/scanners/package_scanner.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
import os
import shutil
import sys
import tarfile
import tarsafe
import tempfile
import requests

Expand Down Expand Up @@ -44,7 +44,7 @@ def scan_local(self, path, rules=None) -> dict:
if os.path.exists(path):
if path.endswith('.tar.gz'):
with tempfile.TemporaryDirectory() as tmpdirname:
tarfile.open(path).extractall(tmpdirname)
tarsafe.open(path).extractall(tmpdirname)
return self.analyzer.analyze_sourcecode(tmpdirname, rules=rules)
elif os.path.isdir(path):
return self.analyzer.analyze_sourcecode(path, rules=rules)
Expand Down
25 changes: 18 additions & 7 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ guarddog = "guarddog.cli:cli"
[tool.poetry.dependencies]
python = ">=3.9, <4"
docker = "==6.0.0b1"
semgrep = "==0.122.0"
# NOTE: Before https://github.com/returntocorp/semgrep/issues/6631 is addressed, we can't seem to upgrade past 0.112.1
semgrep = "==0.112.1"
requests = "==2.28.1"
tqdm = "==4.64.0"
python-dotenv = "==0.20.0"
Expand Down Expand Up @@ -47,6 +48,7 @@ flake8 = "^5.0.4"
python-whois = "^0.8.0"
termcolor = "^2.1.0"
setuptools = "^65.6.3"
tarsafe = "^0.0.4"

[tool.poetry.dev-dependencies]

Expand Down
Loading

0 comments on commit 98af5c8

Please # to comment.