All the vulnerabilities related to the version 0.5.1 of the package
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
tar-fs can extract outside the specified dir with a specific tarball
v3.0.8, v2.1.2, v1.16.4 and below
Has been patched in 3.0.9, 2.1.3, and 1.16.5
You can use the ignore option to ignore non files/directories.
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.
// Create a writable stream to extract the tar content
const extractStream = tarfs.extract('/', {
// We can ignore the file type checks to allow the extraction of the malicious file
ignore: (name) => false,
});
// Create a tar stream
const tarStream = tarfs.pack().on('error', (err) => {
throw err;
});
// Append the malicious entry to the tar stream
tarStream.entry({ name: '/flag.txt', mode: 0o644 }, Buffer.from('This is a flag!'));
// Finalize the tar stream
tarStream.finalize();
// Pipe the tar stream into the extract stream
tarStream.pipe(extractStream);
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
v3.1.0, v2.1.3, v1.16.5 and below
Has been patched in 3.1.1, 2.1.4, and 1.16.6
You can use the ignore option to ignore non files/directories.
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
Reported by: Mapta / BugBunny_ai
Improper Input Validation in tar-fs
A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.