Node.js maintainers have launched a major update to the npm package "tar" (aka node-tar) that resolves five critical safety flaws, including some that possess a remote code execution threat.
The npm package was vulnerable to arbitrary File Creation/Overwrite vulnerability due to insufficient relative path sanitization. The npm package presents itself as a module that accepts JavaScript proxy configuration files and creates a function for the user’s app to locate certain domains.
The first three flaws tracked as CVE-2021-37712, CVE-2021-37701, and CVE-2021-37701 fall into the high-risk category while the other two flaws were categorized as being of moderate risk.
“Path integrity controls built into the technology came unstuck when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems”, as explained in a National Vulnerability Database (NVD).
“The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite,” it added.
These five security flaws seriously impact those who use npm package versions prior to 5.0.0, even transitively in their Node.js application, and:
• Explicitly use PAC files for proxy configuration or
• Read and use the operating system proxy configuration in Node.js on systems with WPAD enabled or
• Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from an untrusted source
“If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the file system, but _not_ from the internal directory cache, as it would not be treated as a cache hit,” researchers explained.
Node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. The CVE-2021-37712 vulnerability violates this control, thus creating a risk from malformed tar archives similar to the CVE-2021-37701 vulnerability.