node-tar Insufficient Link Path Sanitization Vulnerability Allowing Arbitrary File Overwrite and Symlink Poisoning

A vulnerability exists in the node-tar library, specifically in versions through 7.5.2. The issue arises because the library does not properly sanitize the linkpath for hardlink and symbolic link entries when the preservePaths option is disabled, which is the default secure setting. This oversight enables malicious archives to circumvent extraction root restrictions, resulting in arbitrary file overwrites through hardlinks and symlink poisoning by directing absolute symlink targets to sensitive system paths.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrites, where an attacker can overwrite any file accessible to the extraction process, bypassing path-based security measures. This does not extend to files that are not accessible during extraction, such as root-owned configuration files. Additionally, in CI/CD environments, overwriting certain files can lead to remote code execution. However, this vulnerability does not affect npm, as npm excludes all Link and SymbolicLink entries from extracted packages.

Reproduction

The vulnerability can be reproduced by creating a TAR archive that includes malicious Link and SymbolicLink headers. The Link header should be crafted to point to a local file, while the SymbolicLink header should target an absolute system path, such as /etc/passwd. Once the archive is created, it can be extracted using node-tar with the default settings, which will trigger the vulnerability by overwriting the local file and creating a symbolic link that points to the absolute path.

Remediation

Users should upgrade to node-tar version 7.5.3 or later, where this vulnerability has been fixed.