apko Path Traversal Vulnerability in dirFS Filesystem Abstraction

A path traversal vulnerability has been identified in apko versions 0.14.8 prior to 1.1.1. The issue resides within the dirFS filesystem abstraction, where the MkdirAll, Mkdir, and Symlink methods fail to properly validate paths, allowing attackers to create directories or symlinks outside the intended installation root. This vulnerability can be exploited by supplying a malicious APK package, potentially through a compromised or typosquatted repository.

Impact

Exploitation of this vulnerability allows for unauthorized creation of directories or symlinks outside the designated installation root, which could lead to manipulation of the filesystem in unintended ways.

Reproduction

The vulnerability can be reproduced by using apko to build a container image from an APK package that has been crafted to include a malicious tar header. This header can be used to perform a path traversal attack, exploiting the dirFS filesystem abstraction. Once the image is built and the application is run, the maliciously created directories or symlinks outside the intended installation root will be present, demonstrating the exploitation of the vulnerability.

Remediation

Users can upgrade to apko version 1.1.1 or later, where this vulnerability has been patched.