Skip to content

Tree: pass filter='fully_trusted' to tarfile.extractall() (PEP 706)#617

Merged
thiell merged 1 commit into
clustershell:masterfrom
thiell:fix/tree-extractall-pep706
Jun 9, 2026
Merged

Tree: pass filter='fully_trusted' to tarfile.extractall() (PEP 706)#617
thiell merged 1 commit into
clustershell:masterfrom
thiell:fix/tree-extractall-pep706

Conversation

@thiell

@thiell thiell commented May 22, 2026

Copy link
Copy Markdown
Collaborator

The bare extractall() call emits a DeprecationWarning on Python 3.12+ and will raise TarError on 3.14. Feature-detect via tarfile.data_filter so older Python versions keep the legacy behavior.

Comment thread tests/TreeWorkerTest.py Outdated
self._tree_rcopy_file(NODE_FOREIGN)

def test_tree_rcopy_no_tarfile_warning(self):
"""test tree rcopy: no tarfile warning leaks (PEP 706)"""

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking: ok we need this test only to check this is fine on old Python versions. So, at some point, we can get rid of it. How would we know?
We need to clarify this is a compat check, like (compat for <Py3.12) or something similar

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's more for Python 3.12-3.13 to make sure they don't emit a warning. I will add a comment to clarify this

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 3.14+, the current code is broken and other tests would fail.

Comment thread lib/ClusterShell/Worker/Tree.py Outdated


# PEP 706: pass filter='tar' when supported (Python 3.7.17+/3.12+)
_TAR_EXTRACT_KWARGS = {'filter': 'tar'} if hasattr(tarfile, 'data_filter') \

@degremont degremont May 22, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how much did you check that tar is the default we need? (i did not verify myself)
because it looks like the default is None

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked and the default (None or filter='data') would change the behavior by stripping setuid flags, etc. Not really what we want for a tool used by sysadmins I guess. The current behavior is closer to filter='tar', which preserves attributes. As the archiving is kind of trusted (a remote clustershell instance is doing it), I think it's fine. We also add additional protection already with --transform in the command I believe. The legacy behavior is really filter='fully_trusted' but it is indeed risky and I tried to find a reason we would need it but I don't see any. So TL;DR; filter='tar' is a little bit safer than now and should not impact the behavior.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine using tar to ignore the absolute path in tar, but the group bits will be a problem:

Clear high mode bits (setuid, setgid, sticky) and group/other write bits (S_IWGRP | S_IWOTH).

Write bits for group or others is a problem I think. I assume we do not have a test checking we preserve stuff like 0664 or 0666 in the test, but we probably should add one, and that would mean moving to fully_trusted?

@thiell thiell force-pushed the fix/tree-extractall-pep706 branch from 25fc181 to f4ac431 Compare May 22, 2026 18:16
Comment thread lib/ClusterShell/Worker/Tree.py Outdated


# PEP 706: pass filter='tar' when supported (Python 3.7.17+/3.12+)
_TAR_EXTRACT_KWARGS = {'filter': 'tar'} if hasattr(tarfile, 'data_filter') \

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine using tar to ignore the absolute path in tar, but the group bits will be a problem:

Clear high mode bits (setuid, setgid, sticky) and group/other write bits (S_IWGRP | S_IWOTH).

Write bits for group or others is a problem I think. I assume we do not have a test checking we preserve stuff like 0664 or 0666 in the test, but we probably should add one, and that would mean moving to fully_trusted?

Comment thread tests/TreeWorkerTest.py Outdated
self._tree_rcopy_file(NODE_FOREIGN)

def test_tree_rcopy_no_tarfile_warning(self):
"""test tree rcopy: no tarfile warning leaks (PEP 706)"""

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nitpick) add (<3.14 compat) in the test name

The bare extractall() call warns on Python 3.12+ and will raise on
3.14. Use 'fully_trusted' to preserve current behavior: tarballs are
built by trusted ClusterShell gateways; 'tar' and 'data' would strip
S_IWGRP|S_IWOTH, downgrading modes like 0664 to 0644.

Signed-off-by: Stephane Thiell <sthiell@stanford.edu>
@thiell thiell force-pushed the fix/tree-extractall-pep706 branch from f4ac431 to c4bcb86 Compare May 28, 2026 05:06
@thiell thiell changed the title Tree: pass filter='tar' to tarfile.extractall() (PEP 706) Tree: pass filter='fully_trusted' to tarfile.extractall() (PEP 706) May 30, 2026
@degremont degremont self-requested a review June 9, 2026 14:59
@thiell thiell added this pull request to the merge queue Jun 9, 2026
Merged via the queue into clustershell:master with commit d2fcd16 Jun 9, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants