PraisonAI Symlink Extraction Vulnerability in Recipe Management

A vulnerability in PraisonAI versions prior to 4.6.37 allows for arbitrary file writing outside the intended extraction directory. The issue arises in the `_safe_extractall` helper, which is used in recipe management flows. While the function validates archive member names to prevent absolute paths and directory traversal, it fails to check symlink or hardlink members properly. This oversight allows an attacker to create a malicious bundle that exploits the extraction process, writing files to locations of their choosing on the victim's filesystem.

Impact

Exploitation of this vulnerability could lead to unauthorized overwriting of files, including sensitive configuration and project files. If the affected process runs as root, it could allow modification of critical system files.

Reproduction

The vulnerability can be reproduced by creating a `.praison` bundle that includes a symlink pointing outside the destination directory, followed by a regular file whose path traverses through the symlink. This bundle can then be extracted using the `praisonai recipe unpack` command, which will result in the file being written to the location specified by the symlink, outside the intended directory.

Remediation

Users can update to PraisonAI version 4.6.37 or later, where this vulnerability has been patched. For those using versions of Python 3.8 to 3.11, the official PEP 706 backport can be applied to add the necessary safeguards against this type of vulnerability.