CVE Vulnerabilities

CVE-2021-37701

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Published: Aug 31, 2021 | Modified: Jan 19, 2023
CVSS 3.x
8.6
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS 2.x
4.4 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
8.1 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Ubuntu
MEDIUM

The npm package tar (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both and `/` characters as path separators, however is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Weakness

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Software

Name Vendor Start Version End Version
Tar Npmjs * 4.4.16 (excluding)
Tar Npmjs 5.0.0 (including) 5.0.8 (excluding)
Tar Npmjs 6.0.0 (including) 6.1.7 (excluding)
Red Hat Enterprise Linux 8 RedHat nodejs:12-8060020220523160029.ad008a3a *
Red Hat Enterprise Linux 8 RedHat nodejs:14-8050020211213115342.c5368500 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat nodejs:12-8010020220518102644.c27ad7f8 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat nodejs:12-8020020220523154454.4cda2c84 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat nodejs:12-8040020220523155137.522a0ee4 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat nodejs:14-8040020211213111158.522a0ee4 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/ocs-operator-bundle:4.9.0-5 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odf-multicluster-operator-bundle:4.9.0-5 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odf-operator-bundle:4.9.0-5 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odr-cluster-operator-bundle:4.9.0-5 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odr-hub-operator-bundle:4.9.0-5 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9 *
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8 RedHat odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs14-nodejs-0:14.18.2-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs12-nodejs-0:12.22.12-2.el7 *
Node-tar Ubuntu bionic *
Node-tar Ubuntu hirsute *
Node-tar Ubuntu trusty *
Node-tar Ubuntu upstream *
Node-tar Ubuntu xenial *

Extended Description

Many file operations are intended to take place within a restricted directory. By using special elements such as “..” and “/” separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the “../” sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as “/usr/local/bin”, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add “.txt” to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction.

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single “.” character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as “/” to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.

  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering “/” is insufficient protection if the filesystem also supports the use of “" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if “../” sequences are removed from the “…/…//” string in a sequential fashion, two instances of “../” would be removed from the original string, but the remaining characters would still form the “../” string.

  • Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes “..” sequences and symbolic links (CWE-23, CWE-59). This includes:

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

  • For example, ID 1 could map to “inbox.txt” and ID 2 could map to “profile.txt”. Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.

  • Run the code in a “jail” or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.

  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.

  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.

  • Be careful to avoid CWE-243 and other weaknesses related to jails.

  • Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server’s access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.

  • This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.

  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.

  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.

  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.

  • In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.

References