jq Embedded NUL Byte Vulnerability Causes Local Policy Bypass

A vulnerability in jq, a command-line JSON processor, allows embedded NUL bytes in import paths to bypass local redaction policies. This issue is present in jq versions through 1.8.1. The vulnerability arises because jq's import path handling converts length-aware strings into NUL-terminated C strings, creating a mismatch during module and data file lookup. As a result, jq can load unintended files, leading to the retention of sensitive information in published artifacts.

Impact

Exploitation of this vulnerability can cause a local workflow to publish artifacts containing sensitive information that should have been redacted, creating a risk of unintentional data exposure.

Reproduction

The vulnerability can be reproduced by creating a jq filter that imports a module with an embedded NUL byte in the import path. This import will pass policy checks that only allow certain names, but jq will resolve it to a different file than expected, loading sensitive data instead of the intended redaction rules.

Remediation

Users are advised to avoid embedding NUL bytes in jq import paths. However, as of now, there is no official patch available for this vulnerability.