GHSA-3jfq-g458-7qm9

Suggest an improvement
Source
https://github.com/advisories/GHSA-3jfq-g458-7qm9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-3jfq-g458-7qm9/GHSA-3jfq-g458-7qm9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3jfq-g458-7qm9
Aliases
Published
2021-08-03T19:06:36Z
Modified
2023-11-01T04:55:31.187392Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Details

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc.

This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

Patches

3.2.2 || 4.4.14 || 5.0.6 || 6.1.1

NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your node-tar use case.

Workarounds

Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.

const path = require('path')
const tar = require('tar')

tar.x({
  file: 'archive.tgz',
  // either add this function...
  onentry: (entry) => {
    if (path.isAbsolute(entry.path)) {
      entry.path = sanitizeAbsolutePathSomehow(entry.path)
      entry.absolute = path.resolve(entry.path)
    }
  },

  // or this one
  filter: (file, entry) => {
    if (path.isAbsolute(entry.path)) {
      return false
    } else {
      return true
    }
  }
})

Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

References

Affected packages

npm / tar

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2

npm / tar

Package

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
4.4.14

npm / tar

Package

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.0.6

npm / tar

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.0.0
Fixed
6.1.1