Backstage Symlink Chain Bypass Vulnerability in @backstage/cli-common

A path traversal vulnerability has been identified in Backstage's @backstage/cli-common package, prior to version 0.1.17. The issue arises in the resolveSafeChildPath utility, which is intended to prevent path traversal attacks but fails to properly validate symlink chains and dangling symlinks. This vulnerability allows attackers to bypass path validation by creating symlink chains that resolve outside the allowed directory or by using dangling symlinks that point to non-existent paths outside the base directory, which could be created during file operations. The affected function is used by Scaffolder actions and other backend components to ensure file operations remain within designated directories.

Impact

Exploitation of this vulnerability could lead to unauthorized file access or modification, bypassing the intended directory restrictions.

Reproduction

The vulnerability can be reproduced by creating a symlink chain that links to a path outside the allowed directory or by creating a dangling symlink that points to a non-existent file outside the base directory, which is later created during a file operation.

Remediation

Users are advised to upgrade to @backstage/cli-common version 0.1.17 or later. Additionally, running Backstage in a containerized environment with limited filesystem access and restricting template creation to trusted users can help mitigate this vulnerability.