Impact
Potentially could impact an agent where drone-cache ran in a 'trusted' pipeline.
Details
The routine Extract attempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball first linking subdir/parent to .. (allowed, because subdir/.. falls within the archive root) and then linking subdir/parent/escapes to .. results in a symbolic link pointing to the tarball's parent directory, contrary to the routine's goals.
Patches
TBD
Workarounds
Ensure your repository is not trusted (see drone repo update)
smowton Analyst
Impact
Potentially could impact an agent where drone-cache ran in a 'trusted' pipeline.
Details
The routine
Extractattempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball first linkingsubdir/parentto..(allowed, becausesubdir/..falls within the archive root) and then linkingsubdir/parent/escapesto..results in a symbolic link pointing to the tarball's parent directory, contrary to the routine's goals.Patches
TBD
Workarounds
Ensure your repository is not trusted (see
drone repo update)