Gleam Symlink Following Vulnerability in Hex Package Export Allows File Embedding Outside Project Root

A symlink following vulnerability has been identified in Gleam's Hex package export feature. This vulnerability allows files located outside the project root to be embedded in the generated package tarball. The issue arises because the file collection helpers in the compiler CLI module follow symlinks when traversing publishable directories, such as 'src/' and 'priv/'. The collected paths are then added to the package archive without verifying that they remain within the project root. As a result, a symlink placed in a publishable directory can lead to the inclusion of arbitrary files in the Hex package. This vulnerability affects Gleam versions 0.10.0-rc1 prior to 1.17.0.

Impact

Exploitation of this vulnerability allows for the unauthorized inclusion of sensitive files, such as secrets, tokens, or SSH keys, into a published Hex package, without the knowledge of the package maintainer.

Reproduction

To reproduce this vulnerability, create a symlink in the 'src/' or 'priv/' directory of a Gleam project, pointing to a sensitive file, such as an SSH key. Then, run the 'gleam export hex-tarball' or 'gleam publish' command. The contents of the symlink target will be embedded in the generated Hex package tarball, under the path corresponding to the symlink.

Remediation

Users can update to Gleam version 1.17.0 or later, where this vulnerability has been patched. Additionally, reviewing the 'src/' and 'priv/' directories for unexpected symlinks before publishing can help mitigate this issue.