## Path Traversal Vulnerability in Sethlans Worker Agent Zip Extraction Exposes Systems
A critical path traversal vulnerability exists within the Sethlans worker agent, allowing a maliciously crafted zip archive to write files anywhere on the host filesystem. The flaw resides in the agent's use of Python's `shutil.unpack_archive()` function, which does not validate member paths before extraction. An attacker could embed entries like `../../etc/crontab` or `../../home/user/.ssh/authorized_keys` in a zip file, and the agent would obediently write them outside the intended extraction directory, leading to potential system compromise.

The vulnerability is isolated to the zip archive handling code in `sethlans_worker_agent/utils/file_operations.py`. Notably, the project's tar extraction path correctly uses the `filter='data'` parameter, a security mitigation available in Python 3.12+, which the project already requires. This discrepancy highlights a specific oversight in the zip processing logic, leaving systems that process untrusted zip archives via this agent exposed to arbitrary file writes.

The proposed fix involves abandoning the vulnerable `shutil.unpack_archive()` call in favor of using the `zipfile.ZipFile` module directly. The solution mandates validating all member names within the archive, rejecting any that contain path traversal sequences (`..`) or absolute paths starting with `/` before permitting extraction. This vulnerability underscores the persistent risk in automated file processing pipelines and the necessity of strict input sanitization for any archive format, even when using standard library utilities.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, python, zip, path traversal
- **Credibility**: unverified
- **Published**: 2026-03-31 01:27:02
- **ID**: 42135
- **URL**: https://whisperx.ai/en/intel/42135