The tarfile module from Python's standard library is in the news this week, with people publicly exploiting the very long-standing CVE-2007-4559[0] (yes, you read that correctly, *2007*). Some old-timers in the community might remember this from such popular hits as OSSA-2011-001: Path traversal issues registering malicious images using EC2 API[1], our very first OpenStack Security Advisory!
This revived interest in unsafe use of tarfile methods will undoubtedly have lots of people scanning OpenStack's Git repos looking for potentially exploitable calls. Indeed, some of our own community members are already auditing the collective codebase to make sure new vulnerabilities haven't sneaked in over the 11 years since this first came up for us, but more help is always welcome.
I encourage anyone using tarfile in their projects to double-check you're doing so safely[2]. If you rely bandit to check your source code, be advised that the most recent 1.7.4 release doesn't catch this but you can install its main branch[3] instead which does include a check for it, at least until they tag a new release (which I have a feeling they'll do quite soon given the recent furor around this topic).
On a related note, I want to take this opportunity to remind everyone that OpenStack has a Security Special Interest Group (SIG), which meets monthly[4] on IRC, and members will also be in attendance at the upcoming virtual PTG[5] in case anyone is interested in discussing this or similar subject matter. Our PTG slot is currently booked for 15:00 UTC Wednesday (2022-10-19), though we can adjust or book an additional hour at another time if this conflicts with any tracks people also need to join, just let me know.
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559 [1] https://security.openstack.org/ossa/OSSA-2011-001.html [2] https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall [3] https://github.com/pycqa/bandit [4] https://meetings.opendev.org/#OpenStack_Security_SIG_meeting [5] https://ptg.opendev.org/ptg.html