Skip to content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in hyper-bump-it

Low
plannigan published GHSA-xc27-f9q3-4448 Sep 3, 2023

Package

pip hyper-bump-it (pip)

Affected versions

<0.5.1

Patched versions

0.5.1

Description

Summary

hyper-bump-it reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a full glob pattern that is used to find files that should be edited. These matched files should be contained within the project root directory, but that is not checked. This could result in changes being written to files outside of the project.

The default behaviour of hyper-bump-it is to display the planned changes and prompt the user for confirmation before editing any files. However, the configuration file provides a field that can be used cause files to be edited without displaying the prompt.

Details

The vulnerability is present in

for file in project_root.glob(config.file_glob)

That code joins the project root directory with a string read from the configuration file without checking if the final path is located outside the project root directory.

The following configuration file contents would cause hyper-bump-it to replace every instance of "hello" in every file adjacent to the project root directory with "world". The line setting show_confirm_prompt to false is not required, but will result in the user file edits to occur without the user having a chance to reject the changes (The fact that changes happened would still be displayed).

[hyper-bump-it]
current_version = "1.2.3"
show_confirm_prompt=false

[[hyper-bump-it.files]]
file_glob = "../*"
search_format_pattern = "hello"
replace_format_pattern = "world"

Patches

A fix that been released as part of v0.5.1. The changes can be view as part of PR #307.

Workarounds

Users that are unable to update from vulnerable versions, executing hyper-bump-it with the --interactive command line argument will ensure that all planned changes are displayed and prompt the user for confirmation before editing any files, even if the configuration file contains show_confirm_prompt=true.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2023-41057

Weaknesses

Credits