Memory-safe archive extraction library with built-in security validation

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for bug-ops from gravatar.com bug-ops

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License, MIT License (MIT OR Apache-2.0)
  • Author: Exarch Contributors
  • Tags archive , extraction , security , tar , zip , gzip , path-traversal , zip-bomb
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

exarch

PyPI Python CI License

Memory-safe archive extraction and creation library for Python.

[!IMPORTANT] exarch is designed as a secure replacement for vulnerable archive libraries like Python's tarfile, which has known CVEs with CVSS scores up to 9.4.

This package provides Python bindings for exarch-core, a Rust library with built-in protection against common archive vulnerabilities.

Installation

pip install exarch

[!TIP] Use uv pip install exarch for faster installation.

Alternative Package Managers

# Poetry
poetry add exarch

# Pipenv
pipenv install exarch

Requirements

  • Python >= 3.9

Quick Start

Extraction

import exarch

result = exarch.extract_archive("archive.tar.gz", "/output/path")
print(f"Extracted {result.files_extracted} files")

Creation

import exarch

result = exarch.create_archive("backup.tar.gz", ["src/", "Cargo.toml"])
print(f"Created archive with {result.files_added} files")

Usage

Basic Extraction

import exarch

result = exarch.extract_archive("archive.tar.gz", "/output/path")

print(f"Files extracted: {result.files_extracted}")
print(f"Bytes written: {result.bytes_written}")
print(f"Duration: {result.duration_ms}ms")

With pathlib.Path

from pathlib import Path
import exarch

archive = Path("archive.tar.gz")
output = Path("/output/path")

result = exarch.extract_archive(archive, output)

Custom Security Configuration

import exarch

config = exarch.SecurityConfig()
config = config.max_file_size(100 * 1024 * 1024)  # 100 MB

result = exarch.extract_archive("archive.tar.gz", "/output", config)

Error Handling

import exarch

try:
    result = exarch.extract_archive("archive.tar.gz", "/output")
    print(f"Extracted {result.files_extracted} files")
except exarch.PathTraversalError as e:
    print(f"Blocked path traversal: {e}")
except exarch.ZipBombError as e:
    print(f"Zip bomb detected: {e}")
except exarch.SecurityViolationError as e:
    print(f"Security violation: {e}")
except exarch.ExtractionError as e:
    print(f"Extraction failed: {e}")

API Reference

extract_archive(archive_path, output_dir, config=None)

Extract an archive to the specified directory with security validation.

Parameters:

Name Type Description
archive_path str | Path Path to the archive file
output_dir str | Path Directory where files will be extracted
config SecurityConfig Optional security configuration

Returns: ExtractionReport

Attribute Type Description
files_extracted int Number of files extracted
bytes_written int Total bytes written
duration_ms int Extraction duration in milliseconds

Raises:

Exception Description
PathTraversalError Path traversal attempt detected
SymlinkEscapeError Symlink points outside extraction directory
HardlinkEscapeError Hardlink target outside extraction directory
ZipBombError Potential zip bomb detected
QuotaExceededError Resource quota exceeded
SecurityViolationError Security policy violation
UnsupportedFormatError Archive format not supported
InvalidArchiveError Archive is corrupted
IOError I/O operation failed

SecurityConfig

Builder-style security configuration.

config = exarch.SecurityConfig()
config = config.max_file_size(100 * 1024 * 1024)   # 100 MB per file
config = config.max_total_size(1024 * 1024 * 1024) # 1 GB total
config = config.max_file_count(10_000)              # Max 10k files

Security Features

The library provides built-in protection against:

Protection Description
Path traversal Blocks ../ and absolute paths
Symlink attacks Prevents symlinks escaping extraction directory
Hardlink attacks Validates hardlink targets
Zip bombs Detects high compression ratios
Permission sanitization Strips setuid/setgid bits
Size limits Enforces file and total size limits

[!CAUTION] Unlike Python's standard tarfile module, exarch applies security validation by default.

Supported Formats

Format Extensions Extract Create
TAR .tar
TAR+GZIP .tar.gz, .tgz
TAR+BZIP2 .tar.bz2, .tbz2
TAR+XZ .tar.xz, .txz
TAR+ZSTD .tar.zst, .tzst
ZIP .zip
7z .7z

[!NOTE] 7z creation is not yet supported. Solid and encrypted 7z archives are rejected for security reasons.

Comparison with tarfile

# UNSAFE - tarfile has known vulnerabilities (CVE-2007-4559)
import tarfile
with tarfile.open("archive.tar.gz") as tar:
    tar.extractall("/output")  # May extract outside target directory!

# SAFE - exarch validates all paths
import exarch
exarch.extract_archive("archive.tar.gz", "/output")  # Protected by default

Development

This package is built using PyO3 and maturin.

# Clone repository
git clone https://github.com/bug-ops/exarch
cd exarch/crates/exarch-python

# Build with maturin
pip install maturin
maturin develop

# Run tests
pytest tests/

Related Packages

License

Licensed under either of:

at your option.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for bug-ops from gravatar.com bug-ops

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License, MIT License (MIT OR Apache-2.0)
  • Author: Exarch Contributors
  • Tags archive , extraction , security , tar , zip , gzip , path-traversal , zip-bomb
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

This version

0.2.3

0.2.2

0.2.1

0.2.0

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

exarch-0.2.3-cp311-cp311-win_amd64.whl (1.0 MB view details)

Uploaded CPython 3.11Windows x86-64

exarch-0.2.3-cp311-cp311-musllinux_1_2_x86_64.whl (1.6 MB view details)

Uploaded CPython 3.11musllinux: musl 1.2+ x86-64

exarch-0.2.3-cp311-cp311-musllinux_1_2_aarch64.whl (1.4 MB view details)

Uploaded CPython 3.11musllinux: musl 1.2+ ARM64

exarch-0.2.3-cp311-cp311-manylinux_2_34_x86_64.whl (1.4 MB view details)

Uploaded CPython 3.11manylinux: glibc 2.34+ x86-64

exarch-0.2.3-cp311-cp311-manylinux_2_34_aarch64.whl (1.3 MB view details)

Uploaded CPython 3.11manylinux: glibc 2.34+ ARM64

exarch-0.2.3-cp311-cp311-macosx_11_0_arm64.whl (1.0 MB view details)

Uploaded CPython 3.11macOS 11.0+ ARM64

exarch-0.2.3-cp311-cp311-macosx_10_12_x86_64.whl (1.1 MB view details)

Uploaded CPython 3.11macOS 10.12+ x86-64

File details

Details for the file exarch-0.2.3-cp311-cp311-win_amd64.whl.

File metadata

  • Download URL: exarch-0.2.3-cp311-cp311-win_amd64.whl
  • Upload date:
  • Size: 1.0 MB
  • Tags: CPython 3.11, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for exarch-0.2.3-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 d9022a62ceae545f0806ebfb8be622b4d60c40b8bec86fbce2872cdf20e44002
MD5 a510131cc69c62abc39a604d00872abf
BLAKE2b-256 d1e621aa7888fcaa43bd6ed36300a89dff20079036977103c8f6e82a54caaad8

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-win_amd64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file exarch-0.2.3-cp311-cp311-musllinux_1_2_x86_64.whl.

File metadata

File hashes

Hashes for exarch-0.2.3-cp311-cp311-musllinux_1_2_x86_64.whl
Algorithm Hash digest
SHA256 22c5c83154f74763c6ac9331f0900523032f2eb3ae6c7c43fed0ae9c9e2588c1
MD5 447aa414042635ac97f98ed2f4543cdd
BLAKE2b-256 15c9a10168fbbe3ee3854d43bcfa09cc588293a18aaf119fdf6460ea5e7fc0a9

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-musllinux_1_2_x86_64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file exarch-0.2.3-cp311-cp311-musllinux_1_2_aarch64.whl.

File metadata

File hashes

Hashes for exarch-0.2.3-cp311-cp311-musllinux_1_2_aarch64.whl
Algorithm Hash digest
SHA256 e20f9201cc0c7e98a01fa5af2009ba038da4fa7726bbc51b849c1f7eaaa4c288
MD5 29bacb359bce63345c99bf46b9c04499
BLAKE2b-256 2ff4794cb340d362b1e27225124c4d6bbd3a2073e1c9ddcd8c819c553fbda90e

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-musllinux_1_2_aarch64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file exarch-0.2.3-cp311-cp311-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for exarch-0.2.3-cp311-cp311-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 2d211688ce138f1f932cd852dc1c9ec4f1a1b712cf766ac2e16d39f3a58148fc
MD5 dd533f209e169f7b128b3ace90c9c1ac
BLAKE2b-256 c458fcf17011724726e89987b30c23a0ef71b25ac6f89f95f7b3a8204dd2685a

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-manylinux_2_34_x86_64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file exarch-0.2.3-cp311-cp311-manylinux_2_34_aarch64.whl.

File metadata

File hashes

Hashes for exarch-0.2.3-cp311-cp311-manylinux_2_34_aarch64.whl
Algorithm Hash digest
SHA256 f0216241af853fdc4de219e389b9f9114b90210a524159bf51384b069278c920
MD5 949554065455d861e276a204ee8d5917
BLAKE2b-256 b6df51cc636c3d3ca97309df299b4f7072b1fbeee4b62e5943bff6e170057024

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-manylinux_2_34_aarch64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file exarch-0.2.3-cp311-cp311-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for exarch-0.2.3-cp311-cp311-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 f2a899c5d7170d2342fafe761d4b72e544ab60c85abcea84073c2e54a832263f
MD5 0f8a9d5d21d697cd8b964b93ca72b47a
BLAKE2b-256 eb31c8eea05ed12262c275783b3bc04e055e8c0378477e88f9baf1cad8a1c938

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-macosx_11_0_arm64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file exarch-0.2.3-cp311-cp311-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for exarch-0.2.3-cp311-cp311-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 7f6c3992a6fc47851b64564b927f00645a6002288d5c79dcb4ed7323eaced31d
MD5 075942347b9e8a90d8d5e5204570db6f
BLAKE2b-256 d861fe3484c44da69d7f41d6f47ac90b3abdc80c199adf8a2c43b0178f96d86e

See more details on using hashes here.

Provenance

The following attestation bundles were made for exarch-0.2.3-cp311-cp311-macosx_10_12_x86_64.whl:

Publisher: release.yml on bug-ops/exarch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page