Fix tarfile symlink/hardlink escape in safe_extract

[Copilot]

The previous safe_extract only validated member string paths, leaving it vulnerable to symlink/hardlink escape attacks — a crafted tarball could plant a symlink inside the target directory and extract a subsequent file through it to write anywhere on the filesystem.

Changes

• Python ≥3.11.4 / ≥3.12: delegates to filter=tarfile.data_filter, Python's built-in extraction filter that blocks path traversal, symlinks, hardlinks, and device files at the stdlib level
• Python 3.11.0–3.11.3 fallback: explicitly rejects any TarInfo member where issym(), islnk(), or isdev() is true before the path-traversal check; only verified regular files/directories are passed to extractall()

def safe_extract(tar, path=".", *, numeric_owner=False):
    # Use the built-in extraction filter when available (Python >=3.11.4 / >=3.12)
    if hasattr(tarfile, "data_filter"):
        tar.extractall(path, numeric_owner=numeric_owner, filter=tarfile.data_filter)
        return

    safe_members = []
    for member in tar.getmembers():
        # Reject symlinks, hardlinks and special files to prevent
        # escape-via-link attacks even when the path looks safe.
        if member.issym() or member.islnk() or member.isdev():
            raise ValueError(f"Unsafe tar member type: {member.name}")
        member_path = os.path.join(path, member.name)
        if not is_within_directory(path, member_path):
            raise ValueError("Attempted Path Traversal in Tar File")
        safe_members.append(member)

    tar.extractall(path, safe_members, numeric_owner=numeric_owner)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.