apko Directory Traversal Vulnerability via Symlink Escaping

A path traversal vulnerability has been identified in the 'apko' tool, which allows users to create and publish OCI container images from APK packages. This vulnerability exists in versions 0.14.8 prior to 1.2.5. The issue arises because a malicious APK can include a symlink that points outside the build root. Subsequent file-write or directory-creation actions can then traverse this symlink, accessing host paths that the build user can write to. The vulnerability is rooted in the 'sanitizePath' function, which failed to properly handle symlinks, allowing them to escape the intended directory structure. Exploitation can occur through the 'apko build-cpio' command or by using the 'apko' tool's 'pkg/apk/fs' package methods that interact with the filesystem.

Impact

Exploitation of this vulnerability allows for unauthorized directory traversal, potentially leading to overwriting files or creating directories outside the intended build environment.

Reproduction

The vulnerability can be reproduced by creating an APK file that includes a symlink tar entry. This symlink should target a path outside the build root. Once this APK is processed by 'apko' version 0.14.8 to before 1.2.5', the symlink will traverse to the specified host path, bypassing the intended restrictions.

Remediation

Users should upgrade to 'apko' version 1.2.5 or later, where this vulnerability has been fixed.