filelock TOCTOU Symlink Vulnerability in Lock File Creation

A Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability has been identified in the filelock library for Python, affecting versions prior to 3.20.1. This vulnerability allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The issue arises during the lock file creation process on both Unix and Windows platforms. When filelock checks if a file exists before opening it with the O_TRUNC flag, an attacker can create a symlink to a target file in the brief interval between the check and the open operation. As a result, the os.open() function follows the symlink and truncates the intended file, leading to data loss or corruption. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted, and the vulnerability also affects dependent libraries such as virtualenv and PyTorch. Exploitation requires local filesystem access and the ability to create symlinks, with success rates of 25-90% depending on the target application.

Impact

Exploitation of this vulnerability allows for arbitrary file truncation or corruption, with specific impacts varying by application. In virtualenv, it can overwrite user configuration files with metadata, leaking sensitive information. In PyTorch, it can truncate model checkpoints or cache files, causing application crashes or failures in machine learning pipelines.

Reproduction

The vulnerability can be reproduced by creating a symlink to a high-value target file, such as a configuration file, and then triggering the filelock mechanism in an application. The symlink will be followed during the lock acquisition process, leading to the truncation of the target file.

Remediation

Users are advised to upgrade to filelock version 3.20.1 or later. If an immediate upgrade is not possible, consider using SoftFileLock instead of UnixFileLock or WindowsFileLock, ensuring that lock file directories have restrictive permissions to prevent untrusted users from creating sylinks, and monitoring lock file directories for suspicious symlinks before running trusted applications.