7/29/2023 0 Comments Unpkg react16.3The second problem with this code is that even if headers.type did correctly check for symlink, the main attack below still worked due to issues with the tar library’s implementation of ignore functions. So right away this gives us arbitrary file reads on the server by creating a symlink to / and browsing through the directory with the web interface. With this tar library, the header.type for a symlink entry is symlink, not link. The first problem with this code is that it doesn’t actually ignore symlinks like it says it does. To serve react’s package.json file, for example, you can just visit Or, to get a directory listing of the whole package, you can visit a snippet of what unpkg used to extract the tar file when it pulled a package: function ignoreSymlinks ( file, headers ) Unpkg lets you read any file out of a package once it’s extracted. If it doesn’t, it pulls the corresponding tar file from npm. When you request a URL like unpkg checks if it already has the package downloaded and extracted at /tmp/unpkg-react-16.3.2/. Don’t trust a third-party CDN – use subresource integrity and pin hashes! Vulnerability If exploited, this bug would have allowed an attacker to execute malicious Javascript on thousands of websites, including the homepages of PNC Bank, React.js, and the state of Nebraska. I found a vulnerability in a tar implementation that allowed me to write arbitrary files onto the unpkg server, including into other packages. Tl dr is a pretty popular CDN for serving up assets from npm packages.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |