sass-site/source/blog/035-security-alert-tar-permissions.md

117 lines
4.8 KiB
Markdown
Raw Normal View History

---
2023-03-09 17:19:39 +01:00
title: "Security Alert: Tar Permissions"
author: Natalie Weizenbaum
2023-03-03 16:39:31 +01:00
date: 2022-12-09 16:00:00 -8
---
The Sass team was recently alerted by prolific external contributor [@ntkme] to
a security issue in our release process.
[@ntkme]: https://github.com/ntkme
## TL;DR
If you're using Linux or Mac OS, run `ls -ax path/to/sass`. If the last group of
letters in the first column contains `w`, you're vulnerable:
```
Vulnerable:
-rwxr-xrwx 1 nweiz primarygroup 407 Dec 13 12:33 sass-1.56.2/sass
Not vulnerable:
-rwxr-xr-x 1 nweiz primarygroup 407 Dec 13 12:33 sass-1.56.2/sass
```
If you're using the `sass-embedded` package, do the same thing for
`node_modules/sass-embedded/dist/lib/src/vendor/dart-sass-embedded/dart-sass-embedded`.
## Who's Affected?
While we don't expect this issue to be a problem for the vast majority of users,
it does affect the following groups:
2023-03-09 17:19:39 +01:00
* Users who downloaded the stand-alone Dart Sass, Dart Sass Embedded, or Sass
Migrator `.tar.gz` archives from the Dart Sass website and extracted them as
the Unix root user.
2023-03-09 17:19:39 +01:00
* Users who installed the `sass-embedded` npm package as the Unix root user
prior to version 1.54.5.
2023-03-09 17:19:39 +01:00
* Users who installed the "non-native" version of the community-maintained
`sass-embedded` RubyGems package as the Unix root user prior to version
1.56.2.
2023-03-09 17:19:39 +01:00
* Users on multi-user systems who downloaded the stand-alone Dart Sass, Dart
Sass Embedded, or Sass Migrator `.tar.gz` archives from the Dart Sass website
and explicitly passed the `-p`/`--preserve-permissions` flag when extracting
them.
Users who installed Dart Sass via the `sass` npm package, Homebrew, or
Chocolatey are categorically not at risk, nor are users on Windows.
We strongly recommend that users in these vulnerable groups delete and
re-install Sass. All the `.tar.gz` files on GitHub have been scrubbed to remove
the vulnerability, so you can reinstall the same version you were previously
using without needing to upgrade to the latest version.
This is a privilege-escalation issue, which means it could allow a hypothetical
attacker with access to a low-privilege account on your computer to escalate
their access to your account's privileges. However, this also means that it's
2023-03-09 17:19:39 +01:00
not a risk *unless* an attacker already has access to an account on your
machine.
## What went wrong?
We were inadvertently uploading `.tar.gz` archives with permissions metadata
indicating that executable files could be overwritten by all users, not just the
owner.
In most cases, this metadata is ignored when extracting the archives and the
permissions are set to only be writable by the user doing the extraction.
However, when extracting archives as the Unix root user or explicitly passing
the `-p`/`--preserve-permissions` flag, the permissions for the extracted files
are set according to the archive's metadata. Because the metadata was incorrect,
an attacker with access to a low-privilege account would be able to overwrite
the executable file and escalate their privileges once it's executed.
## How did this happen?
Dart Sass is automatically deployed to various different release platforms using
a Dart package called [`cli_pkg`], which is also written maintained by the Sass
team. This package uses the Dart [`archive`] package to generate `.tar.gz` files
for stand-alone release packages which are then uploaded to GitHub, and when
initially writing the code to use this package I wrote the following function:
[`cli_pkg`]: https://pub.dev/packages/cli_pkg
[`archive`]: https://pub.dev/packages/archive
```dart
ArchiveFile fileFromBytes(String path, List<int> data,
{bool executable = false}) =>
ArchiveFile(path, data.length, data)
..mode = executable ? 495 : 428
..lastModTime = DateTime.now().millisecondsSinceEpoch ~/ 1000;
```
My intention was to set the executable mode to `755` (read/write/execute for the
owner, read/execute only for the other users) and the non-executable mode to
`644` (read/write for the owner, read-only for other users). However, Dart
doesn't support literal octal numbers and I must have done the decimal-to-octal
conversion wrong. The actual permissions that got set were `757`
(read/write/execute for the owner **and other users**, read/execute for the
group) and `654` (read/write for the owner, read/execute for the group, and
read-only for other users).
This went unnoticed for several years, until @ntkme notified us of the issue
last week and provided a fix to `cli_pkg`.
## What's been done?
We've released `cli_pkg` 2.1.7 which sets the archive permissions correctly. In
addition, we've updated all `.tar.gz` files in the Dart Sass, Dart Sass
Embedded, and Sass Migrator repositories to correctly limit write permissions to
only the owner of the files. We're announcing the vulnerability here and on the
[@SassCSS Twitter account].
[@SassCSS Twitter account]: https://twitter.com/SassCSS