Fix CVE-2007-4559 warnings in RHEL tar extraction.

Signed-off-by: Leander Stephen D'Souza <leanderdsouza1234@gmail.com>

Author: leander-dsouza

vcs2l/clients/tar.py

@@ -1,4 +1,5 @@
 import os
+import sys
 import tarfile
 from io import BytesIO
 from urllib.error import URLError
@@ -75,7 +76,34 @@ def get_members(tar, prefix):
 
             prefix = str(command.version) + '/'
             members = get_members(tar, prefix)
-        tar.extractall(self.path, members)
+
+        try:
+            if sys.version_info >= (3, 12):
+                tar.extractall(self.path, members, filter='data')
+            else:
+                # Fallback for older Python versions - implement basic safety checks
+                for member in members:
+                    member_path = os.path.join(self.path, member.name)
+                    real_member_path = os.path.realpath(
+                        member_path
+                    )  # compresses ../ and such
+                    real_path = os.path.realpath(self.path)
+
+                    if not real_member_path.startswith(real_path + os.sep):
+                        raise tarfile.ExtractError(
+                            f'Attempted path traversal in tar file: {member.name}'
+                        )
+
+                tar.extractall(self.path, members)
+
+        except tarfile.ExtractError as e:
+            return {
+                'cmd': '',
+                'cwd': self.path,
+                'output': "Failed to unpack tarball fetched from '%s': %s"
+                % (command.url, e),
+                'returncode': 1,
+            }
 
         return {
             'cmd': '',