Can I use this to safely inspect TAR archives from untrusted sources before extracting locally?

Yes — this is one of the primary use cases. The archive is extracted in an isolated server-side environment that blocks path traversal, skips symlinks and device files, and caps output at 5 GB. You get the contents without exposing your own infrastructure.

Does the tool handle gzip-compressed TAR files (.tar.gz and .tgz)?

Yes. The tool supports .tar, .tar.gz, and .tgz formats. These are the most common formats in Linux/Unix distribution and deployment workflows.

What happens if an archive exceeds the 5 GB extraction limit?

Extraction stops automatically at the 5 GB threshold. Files extracted up to that point are returned. This prevents tar bomb denial-of-service conditions.

Are symlinks inside the archive extracted?

No. Symlinks, hard links, and device files are skipped during extraction as a security measure. Only regular files and directories are extracted.

Unpack TAR.GZ Archives Without Touching Your Infrastructure

DevOps engineers routinely receive TAR.GZ archives from vendors, upstream teams, or automated pipelines — and extracting them directly on a bastion host or build server introduces unnecessary risk. Deliteful extracts TAR, TAR.GZ, and TGZ archives in a fully isolated server-side environment, so you can inspect contents safely before they touch any system you own.

Create free account

Extracting untrusted archives on production-adjacent infrastructure is a known attack vector. A crafted TAR can use path traversal sequences (e.g., ../../etc/cron.d/) to write files outside the intended directory. Deliteful blocks this at the extraction layer — every file path is validated, and output is sandboxed per archive. Symlinks and hard links are skipped automatically, eliminating another common exploitation surface.

For DevOps workflows, this is particularly useful when auditing vendor-supplied packages, inspecting deployment artifacts before staging, or quickly checking archive contents without configuring a sandbox VM. Extraction preserves the original folder structure, the 5 GB uncompressed output cap prevents resource exhaustion, and downloaded files are ready to inspect or deploy immediately.

How it works

1
Create a free account
Sign in with Google — takes about 3 clicks and no credit card.
2
Upload the archive
Drop your .tar, .tar.gz, or .tgz file (up to 50 MB) into the uploader.
3
Extraction runs server-side
Deliteful unpacks the archive in an isolated directory with full path traversal and symlink protections.
4
Download and inspect
Extracted files are available for download with the original folder hierarchy intact.

Frequently asked questions

Can I use this to safely inspect TAR archives from untrusted sources before extracting locally?: Yes — this is one of the primary use cases. The archive is extracted in an isolated server-side environment that blocks path traversal, skips symlinks and device files, and caps output at 5 GB. You get the contents without exposing your own infrastructure.
Does the tool handle gzip-compressed TAR files (.tar.gz and .tgz)?: Yes. The tool supports .tar, .tar.gz, and .tgz formats. These are the most common formats in Linux/Unix distribution and deployment workflows.
What happens if an archive exceeds the 5 GB extraction limit?: Extraction stops automatically at the 5 GB threshold. Files extracted up to that point are returned. This prevents tar bomb denial-of-service conditions.
Are symlinks inside the archive extracted?: No. Symlinks, hard links, and device files are skipped during extraction as a security measure. Only regular files and directories are extracted.