Documentation

Thetarfile module is vulnerable to Tar Slip and various other symlink-related attacks. These are known issues that are currently being discussed in the community (see:#65308,#73974).

While tarfile docs show prominent red boxes entitling developers to be careful with tarballs coming from untrusted sources, shutilunpack_archive says nothing about it. However, unpack_archive will leverage tarfile behind the scenes if it sees a .tar.gz (or similar) extension, hence causing unpack_archive inherit all tarfile's security issues.

On the other hand,zipfile is reasonably well protected against these problems. But I believe it's easy for developers to misuse unpack_archive under the assumption that it is equivalent to zipfile, and hence use it without properly sanitizing the input files. And as long as the application only receives zip files there will be no problem, but as soon as a malicious tar file is received, the vulnerabilities are triggered. The problem is that zipfile only accepts zip files, throwing an exception otherwise. But unpack_archive accepts many other formats as well as zip.