unjs nanotar Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in unjs nanotar versions through 0.2.0. The issue resides in the 'parseTar()' and 'parseTarGzip()' functions, where the library fails to properly validate file names extracted from tar archive headers. This oversight allows remote attackers to craft tar archives that include path traversal sequences, such as '../../../', enabling them to write arbitrary files outside the designated extraction directory. The vulnerability follows the classic 'Zip Slip' pattern, potentially leading to unauthorized file overwrites or execution of malicious scripts, depending on the extracted file's location.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended extraction directory, following the 'Zip Slip' vulnerability pattern. This could lead to overwriting critical system files, tampering with application configurations, or executing malicious code, especially if the written files are scripts or binaries that the system executes.

Reproduction

To reproduce this vulnerability, create a tar archive using the 'createTar' function from the nanotar library. Include a file entry that uses path traversal sequences to navigate outside the intended extraction directory. Once the malicious tar file is created, it can be extracted using the 'parseTar' or 'parseTarGzip' functions. The extraction process will overwrite or create files in the specified target path, demonstrating the path traversal vulnerability.

Remediation

Users of nanotar should update to the latest version and ensure that any tar archives are extracted using a validated and secure method. When using the 'parseTar()' or 'parseTarGzip()' functions, implement a validation step to check that extracted file paths do not traverse outside the intended directory.