filelock SoftFileLock TOCTOU Symlink Vulnerability

A Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability has been identified in the SoftFileLock implementation of the filelock package, prior to version 3.20.3. This vulnerability allows an attacker with local filesystem access and permission to create symlinks to exploit a race condition between permission validation and file creation. The issue arises in the _acquire() method, where an attacker can create a symlink at the lock file path during the brief interval between the permission check and the actual file creation. This exploitation can cause lock operations to fail or behave unpredictably, potentially leading to a denial-of-service condition or causing locks to interfere with unintended files.

Impact

Exploitation of this vulnerability can result in silent failures of lock acquisitions, denial-of-service conditions by disrupting lock file creation, resource serialization issues that allow multiple processes to simultaneously acquire locks, and unintended operations on files controlled by the attacker.

Reproduction

To reproduce this vulnerability, an attacker must have local filesystem access and permission to create symlinks. The attack involves timing the creation of a symlink to intercept the lock acquisition process. When a process attempts to acquire a lock using SoftFileLock, the permission validation will pass. During the subsequent race window before the lock file is created, the attacker can quickly create a symlink at the lock file path. Once the symlink is in place, the lock operation may either fail or inadvertently apply to the file targeted by the symlink, instead of the intended lock file.

Remediation

Users should upgrade to filelock version 3.20.3 or later, where this vulnerability has been patched. For critical deployments, consider using UnixFileLock or WindowsFileLock instead of SoftFileLock, as these provide stronger guarantees through OS-level file locking and have already been patched for similar vulnerabilities.