PyPi: Guarddog

CVE-2022-23530

Safety vulnerability ID: 54606

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 16, 2022 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

### Summary

Unsafe extracting using `shutil.unpack_archive()` from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination.

### Details

Extracting files using `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten.

The vulnerable code snippet is between [L153..158](https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158).

```python
response = requests.get(url, stream=True)

with open(zippath, "wb") as f:
f.write(response.raw.read())

shutil.unpack_archive(zippath, unzippedpath)
```
It seems that a remotely retrieved tarball which could be with the extension `.tar.gz` happens to be unpacked using `shutil.unpack_archive()` with no destination verification/limitation of the extracted files.

### PoC

The PoC provided showcases the risk of extracting the non-harmless text file `sim4n6.txt` to a parent location rather than the current folder.

```bash
> tar --list -f archive.tar
tar: Removing leading `../../../' from member names
../../../sim4n6.txt

> python3
Python 3.10.6 (main, Nov 2 2022, 18:53:38) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import shutil
>>> shutil.unpack_archive("archive.tar")
>>> exit()

> file ../../../sim4n6.txt
../../../sim4n6.txt: ASCII text
```

### A Potential Attack Scenario

- An attacker may craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely, thus, providing a possibility to overwrite the system files.

### Mitigation

Potential mitigation could be to:
- Use a safer module, like `zipfile`.
- Validate the location of the extracted files and discard those with malicious paths such as a relative path `..` or absolute ones.

Affected package

guarddog

Latest version: 2.1.0

GuardDog is a CLI tool to Identify malicious PyPI packages

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): NONE