sdk/python/Archives/PyZipfile

PyZipfile

The zipfile module. ZipFile.extractall() and extract() are zip-slip sinks when the archive is untrusted. Python's extractall resolves .. segments in archive members to paths outside the target directory.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.extractall()Extracts all members

.extract()Extracts a single member

Sinks

— dangerous functions taint must not reach

.extractall()Sink

Signature

ZipFile.extractall(path=None, members=None, pwd=None) -> None

Extracts all members. Zip-slip sink on untrusted archives.

.extract()Sink

Signature

ZipFile.extract(member, path=None, pwd=None) -> str

Extracts a single member. Same zip-slip risk.

Fully-Qualified Names

FQN	Field
zipfile	fqns[0]
zipfile.ZipFile	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyZipfile

← PreviousPyZipapp

Next →PyZipimport