Skip to content

fix(stage): strip path separators from staged tarball filename#9721

Open
ubeddulla wants to merge 1 commit into
npm:latestfrom
ubeddulla:stage-download-path-traversal
Open

fix(stage): strip path separators from staged tarball filename#9721
ubeddulla wants to merge 1 commit into
npm:latestfrom
ubeddulla:stage-download-path-traversal

Conversation

@ubeddulla

Copy link
Copy Markdown
Contributor

npm stage download builds the output filename from the staged tarball's own package.json name and version, but those come straight out of the untrusted tarball (parsed raw, never validated), and the name only replaces the first @// while the version is dropped in verbatim. A staged package whose version is something like ../../../../tmp/pwned makes resolve(process.cwd(), filename) walk out of the working directory, so writeFile drops the attacker-controlled bytes at an arbitrary path. Strip every separator from the name and version before building the filename, the same way libnpmpack does, so it stays a single component inside cwd. Added a regression test that downloads a tarball with a crafted version and checks nothing lands outside the cwd.

@ubeddulla ubeddulla requested review from a team as code owners July 4, 2026 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant