add exclusion patterns for tarfile-extractall-traversal

[cjenn-aviatrix]

As per PEP706 the filter arg is used to prevent directory traversal

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Cireo]

per https://docs.python.org/3/library/tarfile.html#default-named-filters we may still want to have failing behavior if filter is 'fully_trusted', or None prior to 3.14, but at least this forces it to be explicit

[mschwager]

Yes, I agree. I think we should still detect cases where filter is set to "fully_trusted", "tar", or None. Since the default will be "data" in Python 3.14 I think that's a reasonable acknowledgment that even "tar" has some security concerns. For example, it allows links to absolute paths or paths outside of the destination.

[GrosQuildu]

Thanks for the PR!

To sum up, from python3.14 the default filter is data and extraction is safe (except DoS attacks). Is that right?
If so, we may want to either:

• only detect extractions with explicit fully_trust (targetting 3.14 and more impactful issues)
• detect the data filters (and filter=None) in addition to fully_trust, maybe lowering the rule's impact (targeting all python versions)

Another question: what happens if both filter and members args are provided:

• filter=data and members=None
• filter=fully_trust and members=some_members()

[Cireo]

My reading of members is that it simply filters some elements, so while it might be more deliberate than a blind extractall, it is not necessarily more safe. Compare with a single .extract, which is also vulnerable to fully_trusted.