[security] Document zlib, gzip, bz2 and tarfile known vulnerabilities

[vstinner]

The zlib, gzip, bz2 and tarfile module of the Python standard library has known vulnerabilities:

• Extracting an archive can override any file on the file system, outside the "destination directory"

  • I created [Security] CVE-2007-4559: tarfile: Add absolute_path option to tarfile, disabled by default #73974 in 2017, it's still open
  • tarfile: Traversal attack vulnerability #65308 reported in 2014
  • "tarfile" library will lead to "write any content to any file on the host". #88189 reported in 2021
  • Fixing this vulnerability would be "nice", but the fact is that it's known for 8 years and not fixed yet and all Python versions are affected

• Resources limitations: zlib, gzip and bz2 have a similar vulnerability than zipfile, a small file can use a lot of memory and disk space.

  • https://docs.python.org/dev/library/zipfile.html#zipfile-resources-limitations
  • https://security.stackexchange.com/questions/51071/zlib-deflate-decompression-bomb estimate a maxiumum ratio of 1000:1 (1 compressed byte becomes 1000 uncompressed bytes)
  • bz2: compressing null bytes can have a crazy compression rate of 1,400,000:0 (compressed 1.4 MB becomes 10 TB uncompressed)
  • Example: https://github.com/khast3x/flaskbomb

I would be nice to mention them in each module documentation and then list them in https://docs.python.org/dev/library/security_warnings.html

[gpshead]

more than 8 years for tarfile... https://nvd.nist.gov/vuln/detail/CVE-2007-4559 is python specific, but the same thing in gnu tar is from 2001...

[vstinner]

I created this issue as a TODO list for myself, but my TODO list of full of more important stuff. Sadly, I failed to find time to work on the documentation. At least, https://docs.python.org/dev/library/security_warnings.html contains a few warnings.

If someone else wants to complete the doc, please go ahead!