Security Alert - Package: tar; Severity: HIGH; Vuln ID: GHSA-3jfq-g458-7qm9

Question

Security Alert - Package: tar; Severity: HIGH; Vuln ID: GHSA-3jfq-g458-7qm9

Closed this issue 3 years ago · 1 comments

due: 2022-02-24

    A new vulnerability has been reported by Dependabot. The criticality of this vulnerability is HIGH.

    HIGH vulnerabilities have an SLA of 30 days according to our policy.

    Affected package: tar
    Ecosystem: NPM
    Affected version range: >= 6.0.0, < 6.1.1

    Summary: Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
    Description: ### Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc.

This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

Patches

3.2.2 || 4.4.14 || 5.0.6 || 6.1.1

NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your node-tar use case.

Workarounds

Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.

const path = require('path')
const tar = require('tar')

tar.x({
  file: 'archive.tgz',
  // either add this function...
  onentry: (entry) => {
    if (path.isAbsolute(entry.path)) {
      entry.path = sanitizeAbsolutePathSomehow(entry.path)
      entry.absolute = path.resolve(entry.path)
    }
  },

  // or this one
  filter: (file, entry) => {
    if (path.isAbsolute(entry.path)) {
      return false
    } else {
      return true
    }
  }
})

Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
identifiers: [{'type': 'GHSA', 'value': 'GHSA-3jfq-g458-7qm9'}, {'type': 'CVE', 'value': 'CVE-2021-32804'}]

    Fixed Version: 6.1.1
    Created Date = January 25, 2022

    ***Additional Context***
    https://github.com/Recidiviz/covid19-dashboard/security/dependabot?q=is%3Aopen+sort%3Anewest

Answer 1 · 2022-01-25T06:00:28.000Z

@phenggeler - label applied: Due this month.