DDEV Path Traversal Vulnerability in Archive Extraction Functions Allowing Arbitrary File Write

A path traversal vulnerability has been identified in DDEV, a tool for local web development environments, specifically in versions prior to 1.25.2. The issue arises from unsanitized extraction in the 'Untar()' and 'Unzip()' functions within 'pkg/archive/archive.go'. These functions download and extract archives from remote sources without proper path validation, leading to arbitrary file writes on the developer's machine. The vulnerability can be exploited by crafting a malicious archive that, when extracted, writes files outside the intended directory.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the developer's machine, potentially leading to further exploitation or manipulation of the local development environment.

Reproduction

The vulnerability can be reproduced by creating a malicious tar archive that includes a file with a path traversal sequence, such as '../../../../../../tmp/ddev_cwe22_poc'. This archive can be processed by the vulnerable 'Untar()' function, which will extract the file to the specified location, bypassing normal path restrictions.

Remediation

Users can upgrade to DDEV version 1.25.2 or later, where this vulnerability has been patched.