Copier Library Symlink Vulnerability Allowing Arbitrary File Inclusion

A vulnerability in the Copier library and CLI application, prior to version 9.11.2, allows safe templates to include arbitrary files or directories from outside the local template clone location. This is achieved by using symlinks with the default setting of '_preserve_symlinks: false'. When the template is processed, Copier follows the symlinks and accesses the linked files or directories, potentially leading to the inclusion of sensitive information, such as SSH keys, into the generated project.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files, such as SSH keys, which could be exposed if the generated project is uploaded to a public repository.

Reproduction

The vulnerability can be reproduced by creating a template that includes symlinks to files outside the template's local clone location. After setting '_preserve_symlinks' to false, the symlinks can be followed during the template generation process, allowing access to the linked files. This can be automated with a script that creates the necessary symlinks and files, and then runs the Copier command to generate a project from the template.

Remediation

Users should update to Copier version 9.11.2 or later, where this vulnerability has been patched.