From 68fbf74d6a087f03a17f58b9b6cc31055dff392b Mon Sep 17 00:00:00 2001
From: root <root@ai-guardian-remediation-f89669655-rqgqt>
Date: Tue, 27 Jan 2026 15:32:12 +0000
Subject: [PATCH] fix: tarfile-extractall-traversal-651

---
 .build/run-ci | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.build/run-ci b/.build/run-ci
index 0d4f14dfefc2..95101c93c73f 100755
--- a/.build/run-ci
+++ b/.build/run-ci
@@ -649,7 +649,16 @@ def download_results_and_print_summary(k8s_client, pod_name: str, kube_ns: str,
 
     def extract_and_rename(archive_path: str, local_results_dir: str, ci_summary_file: str, ci_details_file: str):
         with tarfile.open(archive_path, "r:gz") as tar:
-            tar.extractall(path=local_results_dir)
+            def safe_extract(tar, path):
+                """Safely extract tar file by validating member paths to prevent directory traversal."""
+                for member in tar.getmembers():
+                    # Normalize the member path and check for directory traversal
+                    if os.path.isabs(member.name) or ".." in member.name:
+                        continue  # Skip potentially dangerous paths
+                    # Extract the member
+                    tar.extract(member, path)
+            
+            safe_extract(tar, local_results_dir)
             if (local_results_dir / "archive/ci_summary.html").exists():
                 (local_results_dir / "archive/ci_summary.html").rename(ci_summary_file)
                 print(f"CI summary saved as {ci_summary_file}")