Merge pull request #565 from onekey-sec/563-tar-filename-too-long

fix(handlers): fix edge cases in tar handler (empty name, too long name).

Author: vlaci

tests/integration/archive/tar/__input__/emptyname.tar

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b5233dfb3a4a23a3bf291bfff8ccfb371fbb2136cb093247d30af090d1e4276
+size 10240

tests/integration/archive/tar/__input__/longname.tar

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd002ebcec73917b4294602e2999809e4119f5209a74f92fc0f70bff838bca69
+size 10240

tests/integration/archive/tar/__output__/emptyname.tar_extract/apple.txt

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:303980bcb9e9e6cdec515230791af8b0ab1aaa244b58a8d99152673aa22197d0
+size 6

tests/integration/archive/tar/__output__/longname.tar_extract/apple.txt

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:303980bcb9e9e6cdec515230791af8b0ab1aaa244b58a8d99152673aa22197d0
+size 6

unblob/handlers/archive/_safe_tarfile.py

@@ -9,6 +9,7 @@
 logger = get_logger()
 
 RUNNING_AS_ROOT = os.getuid() == 0
+MAX_PATH_LEN = 255
 
 
 class SafeTarFile(TarFile):
@@ -18,6 +19,14 @@ def extract(
         path_as_path = Path(str(path))
         member_name_path = Path(str(member.name))
 
+        if not member.name:
+            logger.warning("File with empty filename in tar archive. Skipping")
+            return
+
+        if len(member.name) > MAX_PATH_LEN:
+            logger.warning("File with filename too long in tar archive. Skipping")
+            return
+
         if not RUNNING_AS_ROOT and (member.ischr() or member.isblk()):
             logger.warning(
                 "missing elevated permissions, skipping block and character device creation",