frappe · ssiyad · Jun 10, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
diff --git a/agent/base.py b/agent/base.py
@@ -91,13 +91,30 @@ def execute(
 
     def run_subprocess(self, command, directory, input, executable, non_zero_throw=True):
         # Start a child process and start reading output immediately
+        if isinstance(command, str):
+            import warnings
+
+            warnings.warn(
+                "String commands are deprecated; use list form for safety",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+            use_shell = True
+        else:
+            use_shell = False
+            if executable is not None:
+                raise TypeError(
+                    "executable is not supported with list-form commands; "
+                    "include the binary as the first element of the list"
+                )
+
         with subprocess.Popen(
             command,
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             stdin=subprocess.PIPE if input else None,
             cwd=directory,
-            shell=True,
+            shell=use_shell,
             executable=executable,
         ) as process:
             if input:

diff --git a/agent/site.py b/agent/site.py
@@ -5,6 +5,7 @@
 import os
 import re
 import shutil
+import tarfile
 import time
 from datetime import datetime
 from shlex import quote
@@ -136,6 +137,36 @@ def restore_site(
         finally:
             self.bench.drop_mariadb_user(self.name, mariadb_root_password, self.database)
 
+    @staticmethod
+    def _safe_extract_tar(path: str, dest: str, strip: int = 0):
+        """Extract a tar archive safely using Python tarfile.
+
+        Strips ``strip`` leading path components from each member.
+        Rejects symlinks, hardlinks, absolute paths, and parent-traversal.
+        """
+        with tarfile.open(path) as tar:
+            members = tar.getmembers()
+            valid = []
+            for member in members:
+                if member.issym() or member.islnk():
+                    raise tarfile.ExtractError(f"Refusing to extract link: {member.name}")
+                if os.path.isabs(member.name):
+                    raise tarfile.ExtractError(f"Refusing absolute path: {member.name}")
+                parts = member.name.split("/")
+                if ".." in parts:
+                    raise tarfile.ExtractError(f"Refusing parent traversal: {member.name}")
+                if strip:
+                    stripped = "/".join(parts[strip:])
+                    if not stripped:
+                        continue
+                    member.name = stripped
+                dest_real = os.path.realpath(dest)
+                target = os.path.realpath(os.path.join(dest, member.name))
+                if not target.startswith(dest_real + os.sep):
+                    raise tarfile.ExtractError(f"Refusing path outside destination: {member.name}")
+                valid.append(member)
+            tar.extractall(path=dest, members=valid)
-        with tarfile.open(path) as tar:
-            members = tar.getmembers()
-            valid = []
-            for member in members:
-                if member.issym() or member.islnk():
-                    raise tarfile.ExtractError(f"Refusing to extract link: {member.name}")
-                if os.path.isabs(member.name):
-                    raise tarfile.ExtractError(f"Refusing absolute path: {member.name}")
-                parts = member.name.split("/")
-                if ".." in parts:
-                    raise tarfile.ExtractError(f"Refusing parent traversal: {member.name}")
-                if strip:
-                    stripped = "/".join(parts[strip:])
-                    if not stripped:
-                        continue
-                    member.name = stripped
-                dest_real = os.path.realpath(dest)
-                target = os.path.realpath(os.path.join(dest, member.name))
-                if not target.startswith(dest_real + os.sep):
-                    raise tarfile.ExtractError(f"Refusing path outside destination: {member.name}")
-                valid.append(member)
-            tar.extractall(path=dest, members=valid)
+        with tarfile.open(path) as tar:
+            members = tar.getmembers()
+            valid = []
+            dest_real = os.path.realpath(dest)
+            for member in members:
+                if member.issym() or member.islnk():
+                    raise tarfile.ExtractError(f"Refusing to extract link: {member.name}")
+                if os.path.isabs(member.name):
+                    raise tarfile.ExtractError(f"Refusing absolute path: {member.name}")
+                parts = member.name.split("/")
+                if ".." in parts:
+                    raise tarfile.ExtractError(f"Refusing parent traversal: {member.name}")
+                if strip:
+                    stripped = "/".join(parts[strip:])
+                    if not stripped:
+                        continue
+                    member.name = stripped
+                target = os.path.realpath(os.path.join(dest, member.name))
+                if not target.startswith(dest_real + os.sep):
+                    raise tarfile.ExtractError(f"Refusing path outside destination: {member.name}")
+                valid.append(member)
+            tar.extractall(path=dest, members=valid)
-        with tarfile.open(path) as tar:
-            members = tar.getmembers()
-            valid = []
-            for member in members:
-                if member.issym() or member.islnk():
-                    raise tarfile.ExtractError(f"Refusing to extract link: {member.name}")
-                if os.path.isabs(member.name):
-                    raise tarfile.ExtractError(f"Refusing absolute path: {member.name}")
-                parts = member.name.split("/")
-                if ".." in parts:
-                    raise tarfile.ExtractError(f"Refusing parent traversal: {member.name}")
-                if strip:
-                    stripped = "/".join(parts[strip:])
-                    if not stripped:
-                        continue
-                    member.name = stripped
-                dest_real = os.path.realpath(dest)
-                target = os.path.realpath(os.path.join(dest, member.name))
-                if not target.startswith(dest_real + os.sep):
-                    raise tarfile.ExtractError(f"Refusing path outside destination: {member.name}")
-                valid.append(member)
-            tar.extractall(path=dest, members=valid)
+        with tarfile.open(path) as tar:
+            members = tar.getmembers()
+            valid = []
+            dest_real = os.path.realpath(dest)
+            for member in members:
+                if member.issym() or member.islnk():
+                    raise tarfile.ExtractError(f"Refusing to extract link: {member.name}")
+                if os.path.isabs(member.name):
+                    raise tarfile.ExtractError(f"Refusing absolute path: {member.name}")
+                parts = member.name.split("/")
+                if ".." in parts:
+                    raise tarfile.ExtractError(f"Refusing parent traversal: {member.name}")
+                if strip:
+                    stripped = "/".join(parts[strip:])
+                    if not stripped:
+                        continue
+                    member.name = stripped
+                target = os.path.realpath(os.path.join(dest, member.name))
+                if not target.startswith(dest_real + os.sep):
+                    raise tarfile.ExtractError(f"Refusing path outside destination: {member.name}")
+                valid.append(member)
+            tar.extractall(path=dest, members=valid)
+
     @step("Restore Files")
     def restore_files(
         self,
@@ -152,9 +183,10 @@ def restore_files(
             finally:
                 os.makedirs(dir_path, exist_ok=True)
 
-            self.execute(
-                f"tar {'z' if public_file.endswith('.tgz') else ''}xvf {public_file} --strip 2",
-                directory=os.path.join(sites_directory, self.name),
+            self._safe_extract_tar(
+                public_file,
+                dest=os.path.join(sites_directory, self.name),
+                strip=2,
             )
 
         if private_file:
@@ -164,9 +196,10 @@ def restore_files(
             finally:
                 os.makedirs(dir_path, exist_ok=True)
 
-            self.execute(
-                f"tar {'z' if private_file.endswith('.tgz') else ''}xvf {private_file} --strip 2",
-                directory=os.path.join(sites_directory, self.name),
+            self._safe_extract_tar(
+                private_file,
+                dest=os.path.join(sites_directory, self.name),
+                strip=2,
             )
 
     @step("Checksum of Downloaded Backup Files")

diff --git a/agent/utils.py b/agent/utils.py
@@ -3,6 +3,7 @@
 import hashlib
 import os
 import re
+import secrets
 import shutil
 import struct
 import subprocess
@@ -58,7 +59,15 @@ def to_bytes(size_str: str) -> float:
 
 def download_file(url, prefix):
     """Download file locally under path prefix and return local path"""
-    filename = urlparse(url).path.split("/")[-1]
+    basename = os.path.basename(urlparse(url).path)
+    ext = ""
+    for known in (".sql.gz", ".tar.gz", ".tgz", ".sql", ".gz", ".tar"):
+        if basename.endswith(known):
+            ext = known
+            break
+    if ext and not all(c.isalnum() or c in "._-" for c in ext):
+        ext = ""
+    filename = secrets.token_urlsafe(16) + ext
     local_filename = os.path.join(prefix, filename)
 
     with requests.get(url, stream=True) as r: