Sourced fromThe GitHub Security Advisory Database.

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when thepreservePaths flag is not set totrue. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example/home/user/.bashrc would turn intohome/user/.bashrc.

This logic was insufficient when file paths contained repeated path roots such as////home/user/.bashrc.node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g.///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

Patches

3.2.2 || 4.4.14 || 5.0.6 || 6.1.1

NOTE: an adjacent issueCVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that addressCVE-2021-32803 as well if this adjacent issue affects yournode-tar use case.

Workarounds

Users may work around this vulnerability without upgrading by creating a customonentry method which sanitizes theentry.path or afilter method which removes entries with absolute paths.

constpath=require('path')</tr></table>

... (truncated)

Affected versions: >= 4.0.0 < 4.4.14

Sourced fromThe GitHub Security Advisory Database.

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessarystat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to thenode-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also wherenode-tar checks for symlinks occur.

By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypassnode-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Patches

3.2.3 || 4.4.15 || 5.0.7 || 6.1.2

Workarounds

Users may work around this vulnerability without upgrading by creating a customfilter method which prevents the extraction of symbolic links.

... (truncated)

Affected versions: >= 4.0.0 < 4.4.15

• 843c897 4.4.15
• 46fe350 Remove paths from dirCache when no longer dirs
• df3aa4d 4.4.14
• 6d28013 add publishConfig tag
• efc6bb0 fix: strip absolute paths more comprehensively
• See full diff incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabotdashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)