go-tuf TAP 4 Multirepo Client Path Traversal Vulnerability

A path traversal vulnerability has been identified in the go-tuf TAP 4 multirepo client, affecting versions 2.0.0 prior to 2.4.1. The vulnerability arises because the client uses the repository name from the map file as a component of the filesystem path when determining the local metadata cache directory. If an application accepts a map file from an untrusted source, an attacker can manipulate the repository name to include traversal sequences, causing go-tuf to write metadata files outside the designated cache directory, potentially overwriting other files within the process's filesystem permissions.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended metadata cache directory, relative to the process's filesystem permissions. This could lead to overwriting important files, such as configuration files, and may facilitate further attacks depending on the application's environment.

Reproduction

The vulnerability can be reproduced by creating a TAP 4 map file that includes a repository name with traversal components, such as '../escaped-repo'. When this map file is loaded by the go-tuf client with local caching enabled, the client will write the metadata file under the escaped path, outside the intended directory.

Remediation

Users are advised to validate repository names in TAP 4 map files before using them with go-tuf. This includes rejecting absolute paths, path separators, and traversal components. If necessary, map repository names to a stable, validated directory name to ensure all writes remain within the cache base directory.