dbt-common's commonprefix() doesn't protect against path traversal
What kind of vulnerability is it? Who is impacted? A path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. For example, when extracting to /tmp/packages, a crafted …