Copier Library and CLI Safe Template Write Access Vulnerability

A vulnerability exists in the Copier library and CLI application, specifically in versions 7.1.0 prior to 9.9.1. The issue arises because Copier incorrectly suggests that it is safe to generate projects from templates deemed 'safe', meaning those that do not utilize unsafe features like custom Jinja extensions requiring the '--UNSAFE,--trust' flag. However, it has been discovered that a safe template can write files outside the designated project generation or update path. This vulnerability is exploitable when the template creates a directory structure that includes relative parent paths or absolute paths, using Copier's built-in 'pathjoin' Jinja filter and the '_copier_conf.sep' variable, which represents the platform-specific path separator. As a result, a malicious template author could craft a template that overwrites arbitrary files based on the user's write permissions, potentially leading to disruptive consequences.

Impact

Exploitation of this vulnerability allows for unauthorized file overwrites outside the intended project directory, based on the user's write permissions. This could be used to disrupt system operations or manipulate important files.

Reproduction

The vulnerability can be reproduced by creating a 'forbidden.txt' file in the current directory, then generating a Copier template that writes a file referencing 'forbidden.txt' using the 'pathjoin' filter to navigate outside the intended directory. After copying the template, the original 'forbidden.txt' will be overwritten with the content specified in the template, demonstrating the unauthorized write access.

Remediation

Users can update to Copier version 9.9.1 or later, where this vulnerability has been fixed.