Pulpy Incomplete Sandbox Vulnerability Allows Arbitrary File Access in Packaged Web Applications

A vulnerability exists in Pulpy, a cross-platform desktop application packager for web apps, prior to version 0.1.1. Pulpy injects a JavaScript API, pulpy.fs, into every packaged web application, granting access to the host filesystem. Although a function named validateFsPath() is intended to sandbox this access, its blocklist is incomplete. As a result, any web app packaged with Pulpy can read and write arbitrary files in the user's home directory, including sensitive files such as SSH keys, AWS credentials, and Keychain data.

Impact

Exploitation of this vulnerability allows packaged web applications to bypass the intended filesystem sandbox, accessing and potentially exfiltrating sensitive user files. This includes SSH private keys, AWS credentials, Keychain data, command history, and Git configuration files, which could contain personal access tokens.

Reproduction

The vulnerability can be reproduced by packaging a web application with Pulpy version 0.1.1-beta or earlier. Once packaged, the application can be opened, at which point it will read sensitive files from the user's home directory that the sandboxing function failed to block. This can be verified by compiling and running a proof-of-concept file that demonstrates the bypass of the sandboxing function.

Remediation

Users can update to Pulpy version 0.1.1, which addresses the vulnerability by implementing a proper allowlist for filesystem access.