fix(sandbox): refuse symlink/hardlink members in result tarball extra…#46
Open
aydinnyunus wants to merge 2 commits into
Open
fix(sandbox): refuse symlink/hardlink members in result tarball extra…#46aydinnyunus wants to merge 2 commits into
aydinnyunus wants to merge 2 commits into
Conversation
…ction extractTarballLocally previously shelled out to `tar -xzvf` with no hardening, so a tarball produced inside the (untrusted) sandbox VM could plant a symlink member followed by a regular file member writing through it. That turned sandbox-side code execution into orchestrator- host arbitrary file write (CVE-2007-4131 / CVE-2018-20482 class) — a clean escape across the trust boundary the README threat model defines. Switch to node-tar via runtime resolution against node_modules/.pnpm (no package.json change). node-tar strips absolute paths and `..` components, refuses to follow symlinks during extraction, and the explicit filter here additionally rejects SymbolicLink and Link members entirely — the agent only ever produces regular FileRecord JSON, so anything else is by definition adversarial.
|
Someone is attempting to deploy a commit to the Vercel Labs Team on Vercel. A member of the Team first needs to authorize it. |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
Contributor
|
Also, please repush with a signed commit |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
extractTarballLocally previously shelled out to
tar -xzvfwith no hardening, so a tarball produced inside the (untrusted) sandbox VM could plant a symlink member followed by a regular file member writing through it. That turned sandbox-side code execution into orchestrator- host arbitrary file write (CVE-2007-4131 / CVE-2018-20482 class) — a clean escape across the trust boundary the README threat model defines.Switch to node-tar via runtime resolution against node_modules/.pnpm (no package.json change). node-tar strips absolute paths and
..components, refuses to follow symlinks during extraction, and the explicit filter here additionally rejects SymbolicLink and Link members entirely — the agent only ever produces regular FileRecord JSON, so anything else is by definition adversarial.What changed
I changed the extractTarballLocally to secure version.
Why
There was a security vulnerability.
Verification
pnpm testpassespnpm lintpassespnpm knippasses