Microsoft APM Symbolic Link Following Vulnerability in Dependency Integration

A vulnerability exists in Microsoft APM versions 0.5.4 through 0.12.4, where the CLI component improperly handles symbolic links in package files. During the integration process, two key functions enumerate files with standard globbing methods that ignore symlinked paths. This oversight allows symlinks pointing to sensitive files to be followed and their contents copied into the project's deployment directories as regular files. Notably, this behavior is not flagged by the package's content hash, a pre-deploy security scan, or the APM audit feature. The issue arises because the deploy directories are not excluded from version control, leading to potential unintentional exposure of sensitive information.

Impact

Exploitation of this vulnerability results in unauthorized disclosure of file contents. Any file accessible to the user running the APM command can be targeted through an absolute symlink in the package, with the file's contents transferred to the project's deploy directories. This behavior persists even after the original symlink target is removed, as demonstrated with a sentinel file.

Reproduction

The vulnerability can be reproduced by creating a bare Git repository that includes symlinks in the APM package under the '.apm/prompts/' or '.apm/agents/' directories. After committing this package, it can be cloned and installed as a dependency in a separate project. During the installation, APM will follow the symlinks, dereference them, and copy the linked file contents into the project's deploy directories, all while staging these files for commit by default.

Remediation

Users can update to Microsoft APM version 0.13.0, where this vulnerability has been fixed.