I needed something to extract tarballs and erlang has a tar library in its stdlib. I searched a bit and didn't find other bindings for it so I polished up what I was using and released it as https://github.com/jtdowney/star
#star - bindings to erlangs tar library
pseudo patrol
lone berry
peak name
pseudo patrol
i was very surprised it was available
stark thicket
Interesting. I'm using erl_tar for a few things. Will check this out
Looks nice...now I shouldn't have to learn the rest of the erlang api at least. And cool use of qcheck btw
modest thistle
Oooo this is super useful
Does it protect against tarbombs?
I think I started a tar library and ran out of steam implementing that
pseudo patrol
Does it protect against tarbombs?
it does nothing except bind the Erlang stdlib, you can list the files before extraction. but a tarbomb is more of an inconvenience, unlike a zipbomb
modest thistle
You can overwrite arbitrary files with tar, no?
I could place malware on your path
pseudo patrol
You can overwrite arbitrary files with tar, no?
there is a way to configure what to do if a file would be overwritten https://hexdocs.pm/star/star.html#OnConflict
pseudo patrol
I could place malware on your path
for a situation like that you would want to list the files in the tar and validate they are going where you want before extracting, the same way you'd tar tf file.tar before extracting on the cli
modest thistle
I think it would be cool to have some configuration that makes it an error to expand a file outside of the output path