fix: add filter='data' to tarfile.extractall in vendor-reflexio.py#83
fix: add filter='data' to tarfile.extractall in vendor-reflexio.py#83xiaolai wants to merge 1 commit into
Conversation
Python 3.12 deprecated tarfile.extractall() without a filter argument (PEP 706) and will emit a DeprecationWarning. The filter='data' mode blocks absolute paths and path components that escape the destination directory, hardening against crafted tarballs. Since the script already requires Python 3.11+ (tomllib), a version guard makes the fix safe on both 3.11 and 3.12+. Co-Authored-By: Claude Code <noreply@anthropic.com>
📝 WalkthroughWalkthroughIn ChangesTar Extraction Filter Gating
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/vendor-reflexio.py`:
- Around line 138-141: The if-else block checking sys.version_info is dead code
since the project requires Python 3.12+ in pyproject.toml, making the else
branch unreachable. Remove the entire version check condition and the else
branch, keeping only the tar.extractall call with filter="data" parameter. This
will eliminate the dead code and resolve the associated Ruff warning.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: a72b2fad-5ee1-4c6d-bf8f-708fde989adc
📒 Files selected for processing (1)
scripts/vendor-reflexio.py
| if sys.version_info >= (3, 12): | ||
| tar.extractall(vendor_dest, filter="data") | ||
| else: | ||
| tar.extractall(vendor_dest) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify sys import exists and check minimum Python version constraints
echo "=== Checking for sys import ==="
head -50 scripts/vendor-reflexio.py | grep -n "import sys\|from sys"
echo ""
echo "=== Checking pyproject.toml for Python version constraints ==="
fd -t f 'pyproject.toml' --exec grep -l "python" {} \; | head -5 | xargs -I{} sh -c 'echo "--- {} ---"; grep -E "requires-python|python_requires|target-version" {}'
echo ""
echo "=== Checking for .python-version file ==="
cat .python-version 2>/dev/null || echo "No .python-version found"Repository: ReflexioAI/claude-smart
Length of output: 284
Remove dead code: the else branch is unreachable since the project requires Python 3.12+.
The version guard is correct and sys is properly imported (line 15). However, since pyproject.toml specifies requires-python = ">=3.12", the else branch (lines 140-141) will never execute in production—all instances run Python 3.12+.
Remove the unnecessary else branch:
Suggested change
if sys.version_info >= (3, 12):
tar.extractall(vendor_dest, filter="data")
else:
tar.extractall(vendor_dest)Should be:
tar.extractall(vendor_dest, filter="data")This also eliminates the Ruff S202 warning, since filter="data" is now the only code path.
🧰 Tools
🪛 Ruff (0.15.17)
[error] 141-141: Uses of tarfile.extractall()
(S202)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/vendor-reflexio.py` around lines 138 - 141, The if-else block
checking sys.version_info is dead code since the project requires Python 3.12+
in pyproject.toml, making the else branch unreachable. Remove the entire version
check condition and the else branch, keeping only the tar.extractall call with
filter="data" parameter. This will eliminate the dead code and resolve the
associated Ruff warning.
Source: Linters/SAST tools
1 participant
Bug:
scripts/vendor-reflexio.pyline 138 callstar.extractall(vendor_dest)without a filter argument. Python 3.12 (PEP 706) deprecated this form and will emitDeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.In Python 3.14 the default will change to'data', potentially breaking extraction of any archive member whose path contains..components.Evidence:
python3 -W error::DeprecationWarning -c "import tarfile, tempfile, pathlib; t=tarfile.open('/dev/null','w'); t.close(); t=tarfile.open('/dev/null','r:'); t.extractall(pathlib.Path('/tmp'))"→DeprecationWarningon Python 3.12+. Line 138 ofvendor-reflexio.pyis the only call site.Fix: Wrap in a
sys.version_info >= (3, 12)guard and passfilter="data"on 3.12+; fall through to the existing call on 3.11 (the current minimum due totomllib). No behaviour change for today's typical run; silences the warning and hardens against path-traversal in any future non-git archivesource.Summary by CodeRabbit