Path Traversal (Zip-Slip) in unarchive module

An attacker crafts a malicious archive containing files with path traversal components (e.g. `../../etc/cron.d/malicious`). When the `unarchive` module extracts this archive using an external tool like GNU tar, the tool follows the path traversal entries and writes files outside the intended extraction directory. This is exploitable on systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images). No authentication or special privileges are required beyond the ability to supply an archive to the bbot tool. [ref_id=1]

The vulnerability resides in `bbot/modules/internal/unarchive.py` in the `extract_file` method. The archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. [patch_id=6466805]

The patch adds a size cap (`_max_extracted_size = 1_000_000_000`) and post-extraction size check in `extract_file`. After extraction completes, it sums the sizes of all extracted files; if the total exceeds 1 GB, the output directory is removed and extraction is aborted. This does **not** fix the path traversal itself — it only prevents extraction of overly large archives. The advisory explicitly states that the underlying archive extraction path traversal was never fixed. [patch_id=6466805]