Romeo Path Traversal Vulnerability in Archive Sanitization Function

A path traversal vulnerability has been identified in the Romeo tool for Go applications, specifically in versions prior to 0.2.2. The issue arises in the `sanitizeArchivePath` function within `webserver/api/v1/decoder.go`, where a missing trailing path separator allows crafted tar archives to write files outside the intended directory. This vulnerability could be exploited by any pod with access to a `ReadWriteMany` PVC, injecting payloads that bypass the directory restrictions.

Impact

Exploitation of this vulnerability allows arbitrary file writes on the machine running the webserver CLI. This could be used to overwrite files like `~/.bashrc`, `~/.zshrc`, or `~/.profile` for remote code execution on the next shell login, append entries to `~/.ssh/authorized_keys` for persistent SSH access, hijack Kubernetes cluster access by modifying `~/.kube/config`, or create scheduled tasks via crontab for persistent execution.

Reproduction

To reproduce this vulnerability, deploy Romeo and ensure a measured application writes coverage data. Then, copy a crafted tar archive, named `poc-path-traversal.tar`, into the `coverdir` mount path of a pod with write access to the `ReadWriteMany` PVC. This archive should contain legitimate coverage files along with two crafted entries designed to exploit the path traversal vulnerability. Afterward, run the webserver CLI command `download` with the `--directory` option set to a target extraction path. The webserver will process the tar archive, and the malicious entries will be written outside the specified directory, demonstrating the path traversal bypass.

Remediation

Users should update to Romeo version 0.2.2 or later, where this vulnerability has been fixed.