Security Alert - Package: tar; Severity: HIGH; Vuln ID: GHSA-3jfq-g458-7qm9
Closed this issue · 1 comments
due: 2022-02-24
A new vulnerability has been reported by Dependabot. The criticality of this vulnerability is HIGH.
HIGH vulnerabilities have an SLA of 30 days according to our policy.
Affected package: tar
Ecosystem: NPM
Affected version range: >= 6.0.0, < 6.1.1
Summary: Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Description: ### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar
aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths
flag is not set to true
. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc
would turn into home/user/.bashrc
.
This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc
. node-tar
would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc
) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.
Patches
3.2.2 || 4.4.14 || 5.0.6 || 6.1.1
NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your node-tar
use case.
Workarounds
Users may work around this vulnerability without upgrading by creating a custom onentry
method which sanitizes the entry.path
or a filter
method which removes entries with absolute paths.
const path = require('path')
const tar = require('tar')
tar.x({
file: 'archive.tgz',
// either add this function...
onentry: (entry) => {
if (path.isAbsolute(entry.path)) {
entry.path = sanitizeAbsolutePathSomehow(entry.path)
entry.absolute = path.resolve(entry.path)
}
},
// or this one
filter: (file, entry) => {
if (path.isAbsolute(entry.path)) {
return false
} else {
return true
}
}
})
Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
identifiers: [{'type': 'GHSA', 'value': 'GHSA-3jfq-g458-7qm9'}, {'type': 'CVE', 'value': 'CVE-2021-32804'}]
Fixed Version: 6.1.1
Created Date = January 25, 2022
***Additional Context***
https://github.com/Recidiviz/covid19-dashboard/security/dependabot?q=is%3Aopen+sort%3Anewest
@phenggeler - label applied: Due this month.