GuardDog Path Traversal Vulnerability Leading to Arbitrary File Overwrite and Remote Code Execution

A path traversal vulnerability has been identified in GuardDog, a CLI tool for detecting malicious PyPI packages, in versions prior to 2.7.1. The vulnerability resides in the 'safe_extract()' function, where improper handling of file paths allows malicious packages to write arbitrary files outside the designated extraction directory. This flaw can result in arbitrary file overwrites and remote code execution on systems running GuardDog.

Impact

Exploitation of this vulnerability could lead to arbitrary file overwrites and remote code execution on the affected system.

Reproduction

To reproduce this vulnerability, a malicious PyPI package must be created with path traversal filenames. Once uploaded to PyPI or distributed directly, GuardDog can be used to scan the package. During the scanning process, GuardDog downloads and extracts the package, which triggers the vulnerability by writing malicious files to arbitrary locations on the system. This could be followed by executing the written files, depending on the locations and contents.

Remediation

Users can upgrade to GuardDog version 2.7.1 or later to address this vulnerability.