-
Notifications
You must be signed in to change notification settings - Fork 906
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(security) Fix tar slip in micropackaging #3559
Conversation
Signed-off-by: Ankita Katiyar <[email protected]>
Signed-off-by: Ankita Katiyar <[email protected]>
Signed-off-by: Ankita Katiyar <[email protected]>
What's the bandit error message exactly? |
@astrojuanlu It flags the same issue, actually, but brings down the severity from high to medium -
|
Signed-off-by: Ankita Katiyar <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! ⭐ I'd suggest adding it to the release notes as well to make it visible we take security seriously in Kedro.
It's a shame bandit still flags it.. hopefully they fix it soon.
Signed-off-by: Ankita Katiyar <[email protected]>
Description
Fix #3473
While we had already addressed the vulnerability with #2180, this helps snyk not flag it. You can test it by setting up snyk locally and running
snyk code test
Also removed
extractall
from tests and replaced withsafe_extract
.Before
After
bandit
still flags this so I haven't removed the# no sec B202
Checklist
RELEASE.md
file