dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization #42

New Issue
Closed
opened 2023-11-01 04:47:29 +00:00 by argoyle · 0 comments
argoyle commented 2023-11-01 04:47:29 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for tar in path: /, manifest_file: /package.json but was unable to update it! ⚠️

Package Severity Affected versions Patched versions IDs
tar (NPM) HIGH < 3.2.2 3.2.2 GHSA-3jfq-g458-7qm9,CVE-2021-32804

Description

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc.

This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

Patches

3.2.2 || 4.4.14 || 5.0.6 || 6.1.1

NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your node-tar use case.

Workarounds

Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.

const path = require('path')
const tar = require('tar')

tar.x({
  file: 'archive.tgz',
  // either add this function...
  onentry: (entry) => {
    if (path.isAbsolute(entry.path)) {
      entry.path = sanitizeAbsolutePathSomehow(entry.path)
      entry.absolute = path.resolve(entry.path)
    }
  },

  // or this one
  filter: (file, entry) => {
    if (path.isAbsolute(entry.path)) {
      return false
    } else {
      return true
    }
  }
})

Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

References

⚠️ `dependabot-gitlab` has detected security vulnerability for `tar` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-3jfq-g458-7qm9 | Package | Severity | Affected versions | Patched versions | IDs | |-----------|----------|-------------------|------------------|----------------------------------------| | tar (NPM) | HIGH | < 3.2.2 | 3.2.2 | `GHSA-3jfq-g458-7qm9`,`CVE-2021-32804` | # Description ### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution `node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. ### Patches 3.2.2 || 4.4.14 || 5.0.6 || 6.1.1 NOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case. ### Workarounds Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. ```js const path = require('path') const tar = require('tar') tar.x({ file: 'archive.tgz', // either add this function... onentry: (entry) => { if (path.isAbsolute(entry.path)) { entry.path = sanitizeAbsolutePathSomehow(entry.path) entry.absolute = path.resolve(entry.path) } }, // or this one filter: (file, entry) => { if (path.isAbsolute(entry.path)) { return false } else { return true } } }) ``` Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves. # References * https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 * https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 * https://www.npmjs.com/advisories/1770 * https://www.npmjs.com/package/tar * https://nvd.nist.gov/vuln/detail/CVE-2021-32804 * https://www.oracle.com/security-alerts/cpuoct2021.html * https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf * https://github.com/advisories/GHSA-3jfq-g458-7qm9
argoyle (Migrated from gitlab.com) closed this issue 2024-02-06 04:41:10 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label security severity:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#42
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?