cifuzz: reject unsafe tar members in GitHub Actions artifacts

[0xmrma]

Summary

Reject unsafe TAR members when downloading GitHub Actions artifacts in CIFuzz.

This change adds validation before extracting artifact TAR files and refuses:

• absolute paths
• path traversal entries containing ..
• symlinks and hard links

If an unsafe member is found, extraction is aborted and the artifact download fails safely.

Why

GithubActionsFilestore._download_artifact() previously extracted the embedded TAR with extractall(dst_directory) without validating member paths first.

That made it possible for a malicious artifact TAR to attempt writes outside the intended extraction directory.

Changes

• add _is_safe_tar_member()
• add _safe_extract_tar()
• replace raw extractall() with validated extraction
• return False and log an error on unsafe TAR content

Tests

Added a unit test that builds a TAR containing:

• a normal file: demo_fuzzer
• a traversal entry: ../escape.txt

The test verifies that:

• the download is rejected
• the extracted file is not written into the destination directory

Validation

Ran:

python3 -m unittest infra.cifuzz.filestore.github_actions.github_actions_test

Result: all tests passed.

[0xmrma]

Thanks! This PR hardens CIFuzz GitHub Actions artifact extraction by rejecting unsafe TAR members before extraction.

It includes:

• rejection of absolute-path members
• rejection of .. traversal members
• rejection of symlinks / hard links
• a unit test covering a traversal entry like ../escape.txt

Validation run locally:

python3 -m unittest infra.cifuzz.filestore.github_actions.github_actions_test

I’d appreciate workflow approval so CI can run.