Mitigate CVE-2007-4995

Prevent potential directory path traversal attacks (see
https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html)

wa/workloads/rt_app/__init__.py

@@ -22,7 +22,7 @@ from subprocess import CalledProcessError
 
 from wa import Workload, Parameter, Executable, File
 from wa.framework.exception import WorkloadError, ResourceError, ConfigError
-from wa.utils.misc import check_output
+from wa.utils.misc import check_output, safe_extract
 from wa.utils.exec_control import once
 from wa.utils.types import cpu_mask
 
@@ -286,6 +286,6 @@ class RtApp(Workload):
         host_path = os.path.join(context.output_directory, TARBALL_FILENAME)
         self.target.pull(target_path, host_path)
         with tarfile.open(host_path, 'r:gz') as tf:
-            tf.extractall(context.output_directory)
+            safe_extract(tf, context.output_directory)
         os.remove(host_path)
         self.target.execute('rm -rf {}/*'.format(self.target_working_directory))

wa/workloads/speedometer/__init__.py

@@ -27,6 +27,7 @@ import uuid
 from wa import Parameter, Workload, File
 from wa.framework.exception import WorkloadError
 from wa.utils.exec_control import once
+from wa.utils.misc import safe_extract
 
 from devlib.utils.android import adb_command
 
@@ -154,7 +155,7 @@ class Speedometer(Workload):
         # Host a copy of Speedometer locally
         tarball = context.get_resource(File(self, "speedometer_archive.tgz"))
         with tarfile.open(name=tarball) as handle:
-            handle.extractall(self.temp_dir.name)
+            safe_extract(handle, self.temp_dir.name)
         self.archive_server.start(self.document_root)
 
         Speedometer.speedometer_url = "http://localhost:{}/Speedometer2.0/index.html".format(