Description
When running the mcn_detect_malicious_metadata_1 check using Macaron on the main branch, I encountered an exception during the analysis of the vector-classifier-python package from PyPI. The error appears to be related to the extraction of a special file from the package source.
Steps to Reproduce
- Clone the Macaron repository and check out the main branch.
- Install Macaron and its dependencies.
- Run the analysis command:
macaron --verbose analyze -purl pkg:pypi/vector-classifier-python
Expected Behavior
The tool should successfully analyze the PyPI package, regardless of the presence of unusual or special files inside the package archive.
Actual Behavior
The command fails with a Python exception when trying to extract the source archive, due to a special file named nul in the vector_classifier_python-0.1.0 directory. The error traceback is as follows:
File "[...]/macaron/src/macaron/slsa_analyzer/package_registry/pypi_registry.py", line 269, in download_package_sourcecode
sourcecode_tar.extractall(temp_dir, filter="data")
File "[...]/.pyenv/versions/3.11.13/lib/python3.11/tarfile.py", line 2303, in extractall
tarinfo, unfiltered = self._get_extract_tarinfo(
File "[...]/.pyenv/versions/3.11.13/lib/python3.11/tarfile.py", line 2392, in _get_extract_tarinfo
self._handle_fatal_error(e)
File "[...]/.pyenv/versions/3.11.13/lib/python3.11/tarfile.py", line 2390, in _get_extract_tarinfo
filtered = filter_function(unfiltered, path)
File "[...]/.pyenv/versions/3.11.13/lib/python3.11/tarfile.py", line 844, in data_filter
new_attrs = _get_filtered_attrs(member, dest_path, True)
File "[...]/.pyenv/versions/3.11.13/lib/python3.11/tarfile.py", line 801, in _get_filtered_attrs
raise SpecialFileError(member)
tarfile.SpecialFileError: 'vector_classifier_python-0.1.0/nul' is a special file
Environment Information
To assist with troubleshooting, please provide the following information about your environment:
Operating System: Ubuntu 22.04
CPU architecture information: x86-64
Python: 3.11.13
Macaron version or commit hash: 736dbf8
Description
When running the
mcn_detect_malicious_metadata_1check using Macaron on the main branch, I encountered an exception during the analysis of thevector-classifier-pythonpackage from PyPI. The error appears to be related to the extraction of a special file from the package source.Steps to Reproduce
Expected Behavior
The tool should successfully analyze the PyPI package, regardless of the presence of unusual or special files inside the package archive.
Actual Behavior
The command fails with a Python exception when trying to extract the source archive, due to a special file named
nulin thevector_classifier_python-0.1.0directory. The error traceback is as follows:Environment Information
To assist with troubleshooting, please provide the following information about your environment:
Operating System: Ubuntu 22.04
CPU architecture information: x86-64
Python: 3.11.13
Macaron version or commit hash: 736dbf8