Minitar aims to be secure by default for the data inside of a tar file.
Absolutely no security reports will be accepted that have been generated by LLM agents.
Security reports are accepted only for the most recent major release.
By preference, use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.
Alternatively, create a private vulnerability report with GitHub or
send an email to [email protected] with the text minitar in
the subject. Emails sent to this address should be encrypted using age
with the following public key:
age1fc6ngxmn02m62fej5cl30lrvwmxn4k3q2atqu53aatekmnqfwumqj4g93w
There are several classes of potential security issues that will not be accepted for Minitar, because any issues arising from these are a matter of the library being used incorrectly.
Minitar does not perform validation or sanitization of path names provided to
the convenience classes Minitar::Output and Minitar::Input, which use
Kernel.open for their underlying implementations when not given an IO-like
object.
Improper use of these convenience classes with arbitrary input filenames may
leave your your software to the same class of vulnerability as reported for
Net::FTP (CVE-2017-17405). If the input filename argument
starts with the pipe character (|), the command following the pipe character
is executed.
Additionally, the use of the open-uri library (which extends Kernel.open
with transparent implementations for Net::HTTP, Net::HTTPS, and Net::FTP),
there are other possible vulnerabilities when accepting arbitrary input, as
detailed by Egor Homakov.
These security vulnerabilities may be avoided, even with the Minitar::Output
and Minitar::Input convenience classes, by providing IO-like objects instead
of pathname-like objects as the source or destination of these classes.