Melange Path Traversal Vulnerability in External Pipeline Resolver Allows Arbitrary File Access and Command Execution

A path traversal vulnerability has been identified in Melange, a tool for building APK packages using declarative pipelines. This issue affects versions 0.32.0 prior to 0.43.4. The vulnerability arises when an attacker can manipulate a Melange configuration file, such as in pull-request-driven CI or build-as-a-service scenarios. The attacker could exploit the 'pipeline[].uses' field by inserting '../' sequences or absolute paths. The 'compilePipeline' function in 'pkg/build/compile.go' improperly validated these 'uses' values, allowing the resolved path to escape the designated pipeline directories and access arbitrary YAML-parseable files visible to the Melange process. Once loaded, the file is treated as a Melange pipeline, and its 'runs:' block is executed via '/bin/sh -c' in the build sandbox. This execution bypasses the usual review process for in-tree pipeline definitions, enabling unauthorized shell commands from out-of-tree files to run during the build.

Impact

Exploitation of this vulnerability could lead to unauthorized access to arbitrary files and execution of shell commands during the Melange build process, bypassing standard review procedures.

Remediation

Users can upgrade to Melange version 0.43.4, where this vulnerability has been fixed. In CI systems that build user-supplied Melange configurations, it is recommended to manually review 'pipeline[].uses' values and reject any that contain '../' or absolute paths.