From 4b71c9fa94404711c9932d308d90e6b9c81c1866 Mon Sep 17 00:00:00 2001
From: zhijie-yang <zhijie.yang@canonical.com>
Date: Tue, 23 Jun 2026 11:49:27 +0200
Subject: [PATCH 1/2] fix: apply fully_trusted tar extraction filter

Addresses #2373
---
 utils/oscap_docker_python/oscap_docker_util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py
index 81b13d8aa6..167be91911 100644
--- a/utils/oscap_docker_python/oscap_docker_util.py
+++ b/utils/oscap_docker_python/oscap_docker_util.py
@@ -126,7 +126,7 @@ def _extract_container(self):
             self.mountpoint = tempfile.mkdtemp()
             self.extracted_container = True
             with tarfile.open(fileobj=tar) as tf:
-                tf.extractall(path=self.mountpoint)
+                tf.extractall(path=self.mountpoint, filter="fully_trusted")
             Path(os.path.join(self.mountpoint, '.dockerenv')).touch()
 
 

From 191cc5393d7435a66b4bd654024bedf7b1bd1701 Mon Sep 17 00:00:00 2001
From: Zhijie Yang <zhijie.yang@canonical.com>
Date: Thu, 25 Jun 2026 12:01:02 +0200
Subject: [PATCH 2/2] chore: use 'tar' filter

---
 utils/oscap_docker_python/oscap_docker_util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py
index 167be91911..a87e3a96fe 100644
--- a/utils/oscap_docker_python/oscap_docker_util.py
+++ b/utils/oscap_docker_python/oscap_docker_util.py
@@ -126,7 +126,7 @@ def _extract_container(self):
             self.mountpoint = tempfile.mkdtemp()
             self.extracted_container = True
             with tarfile.open(fileobj=tar) as tf:
-                tf.extractall(path=self.mountpoint, filter="fully_trusted")
+                tf.extractall(path=self.mountpoint, filter="tar")
             Path(os.path.join(self.mountpoint, '.dockerenv')).touch()