logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-23530 guarddog

Package

Manager: pip
Name: guarddog
Vulnerable Version: >=0 <0.1.8

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00167 pctl0.3833

Details

GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package ### Summary Unsafe extracting using `shutil.unpack_archive()` from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. ### Details Extracting files using `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. The vulnerable code snippet is between [L153..158](https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158). ```python response = requests.get(url, stream=True) with open(zippath, "wb") as f: f.write(response.raw.read()) shutil.unpack_archive(zippath, unzippedpath) ``` It seems that a remotely retrieved tarball which could be with the extension `.tar.gz` happens to be unpacked using `shutil.unpack_archive()` with no destination verification/limitation of the extracted files. ### PoC The PoC provided showcases the risk of extracting the non-harmless text file `sim4n6.txt` to a parent location rather than the current folder. ```bash > tar --list -f archive.tar tar: Removing leading `../../../' from member names ../../../sim4n6.txt > python3 Python 3.10.6 (main, Nov 2 2022, 18:53:38) [GCC 11.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import shutil >>> shutil.unpack_archive("archive.tar") >>> exit() > file ../../../sim4n6.txt ../../../sim4n6.txt: ASCII text ``` ### A Potential Attack Scenario - An attacker may craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely, thus, providing a possibility to overwrite the system files. ### Mitigation Potential mitigation could be to: - Use a safer module, like `zipfile`. - Validate the location of the extracted files and discard those with malicious paths such as a relative path `..` or absolute ones.

Metadata

Created: 2022-12-05T23:34:43Z
Modified: 2024-11-18T16:26:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-78m5-jpmf-ch7v/GHSA-78m5-jpmf-ch7v.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-78m5-jpmf-ch7v
Finding: F063
Auto approve: 1