Crabbox Path Traversal Vulnerability in Islo Provider

A path traversal vulnerability has been identified in Crabbox versions prior to 0.9.0, specifically within the Islo provider's workspace path resolution. This vulnerability allows attackers to provide absolute or relative paths that escape the intended '/workspace' directory. By crafting a malicious '.crabbox.yaml' or 'crabbox.yaml' file with traversal sequences, attackers can manipulate the workspace preparation logic to execute arbitrary file deletions and overwrites, particularly when 'sync.delete' is enabled. The issue arises because the workspace preparation process performs 'rm -rf' and 'mkdir -p' operations on the resolved path without adequate validation.

Impact

Exploitation of this vulnerability could lead to unauthorized file deletions and overwrites within the user's workspace, potentially causing data loss or disruption of service.

Reproduction

To reproduce this vulnerability, create a '.crabbox.yaml' or 'crabbox.yaml' file and include traversal sequences that direct the path outside of the '/workspace' directory. Once the file is crafted, upload it to a Crabbox environment running a version prior to 0.9.0. When 'sync.delete' is enabled, the workspace preparation will automatically execute the 'rm -rf' command on the resolved path, allowing for arbitrary file deletions.

Remediation

Users can upgrade to Crabbox version 0.9.0 or later, where this vulnerability has been fixed.