Enter the tar pit
Builders of Node.js have launched a major replace to the expertise that resolves 5 troublesome safety vulnerabilities, together with some that current a distant code execution danger.
The Node.js patch batch affords reduction from a complete of three high-severity points and two average safety flaws.
The NPM bundle “tar” (aka node-tar) was vulnerable to an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
Path integrity controls constructed into the expertise got here unstuck when “extracting tar recordsdata that contained each a listing and a symlink with the identical identify because the listing, the place the symlink and listing names within the archive entry used backslashes as a path separator on posix programs”, as defined in an a US Nationwide Vulnerability Database (NVD) write-up of the CVE-2021-37701 vulnerability.
The cache checking logic used each “ and `/` characters as path separators, nevertheless “ is a legitimate filename character on posix programs. By first making a listing, after which changing that listing with a symlink, it was thus doable to bypass node-tar symlink checks on directories, primarily permitting an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary recordsdata into that location, thus permitting arbitrary file creation and overwrite.”
Related points might come up on case-insensitive filesystems.
The identical NVD alert explains: “If a tar archive contained a listing at `FOO`, adopted by a symbolic hyperlink named `foo`, then on case-insensitive file programs, the creation of the symbolic hyperlink would take away the listing from the filesystem, however _not_ from the inner listing cache, as it could not be handled as a cache hit.
“A subsequent file entry inside the `FOO` listing would then be positioned within the goal of the symbolic hyperlink, considering that the listing had already been created.”
Hold it zipped
It’s not unusual for web sites to permit customers to add zip (archive) recordsdata and extract them, and this is the reason the tar vulnerability is especially related for webadmins to patch.
Node-tar goals to ensure that any file whose location could be modified by a symbolic hyperlink is just not extracted. The CVE-2021-37712 vulnerability violates this management, thus making a danger from malformed tar archives much like the CVE-2021-37701 vulnerability.
Each flaws are categorized as high-risk. The third high-risk flaw within the batch (CVE-2021-37713) creates an arbitrary file overwrite or code execution danger due to inadequate relative path sanitization, once more involving node-tar.
The 2 different vulnerabilities lined within the patch batch contain points with the arborist and npm cli modules. Every is categorized as average danger.