Copier Library and CLI Project Template Renderer Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the Copier library and CLI application, specifically in versions prior to 9.14.1. The issue arises from the `_external_data` feature, which allows templates to load YAML files using paths controlled by the template. If untrusted templates are used, a malicious template can exploit this feature to read local files chosen by the attacker, including sensitive information, and expose the contents in the rendered output. This vulnerability is particularly concerning because it can be exploited without the `--UNSAFE` flag, which is required for accessing external data paths outside the subproject root. The issue has been patched in version 9.14.1.

Impact

Exploitation of this vulnerability allows for unauthorized reading of local files outside the intended directory, with a high risk of disclosing sensitive information such as secrets stored in YAML or JSON format. The vulnerability's impact is magnified by the fact that it can be exploited without using the `--UNSAFE` option, which is typically required for accessing external data paths outside the subproject root.

Reproduction

To reproduce this vulnerability, create a Copier template that defines `_external_data` with paths that traverse outside the subproject directory, such as parent-directory paths or absolute paths. When the template is processed, Copier will read the specified files and make the contents available in the rendered output, effectively leaking the information. This can be done using a template that loads secrets from a Git-ignored file, for example, by specifying a path to a file containing sensitive data and then accessing that data through the `_external_data` variable in the template rendering context.

Remediation

Users can update to Copier version 9.14.1 or later, where this vulnerability has been patched. The update is available through the Python Package Index (PyPI).