QID 980366

QID 980366: Nodejs (npm) Security Update for tar (GHSA-3jfq-g458-7qm9)

Security update has been released for tar to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`.

This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

  • CVSS V3 rated as Critical - 8.1 severity.
  • CVSS V2 rated as Medium - 5.8 severity.
    • Solution
    3.2.2 || 4.4.14 || 5.0.6 || 6.1.1

    NOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case.Workaround:
    Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths.

    ```js
    const path = require('path')
    const tar = require('tar')

    tar.x({
    file: 'archive.tgz',
    // either add this function...
    onentry: (entry) => {
    if (path.isAbsolute(entry.path)) {
    entry.path = sanitizeAbsolutePathSomehow(entry.path)
    entry.absolute = path.resolve(entry.path)
    }
    },

    // or this one
    filter: (file, entry) => {
    if (path.isAbsolute(entry.path)) {
    return false
    } else {
    return true
    }
    }
    })
    ```

    Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
    Vendor References

    CVEs related to QID 980366

    CVE-2021-32804 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-3jfq-g458-7qm9 tar URL Logo github.com/advisories/GHSA-3jfq-g458-7qm9
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].