JavaScript directory bug highlights the problems caused by software dependency chains

Unpkg, a global content delivery network (CDN), has patched a vulnerability that could have allowed an attacker to execute malicious JavaScript on thousands of websites, including PNC Bank, React.js, and the official Nebraska government site.

In a blog post published yesterday, researcher Max Justicz explains how a tar implementation bug allowed him to write arbitrary files onto the unpkg server, including into other packages.

Tar is a software utility used for collecting several files into one archive file, for easier distribution or archiving.

Justicz found that when a user requests a URL, unpkg checks if it has already downloaded and extracted the package. It is hasn’t, it pulls the corresponding tar file from the NPM JavaScript package manager.

The researcher found that unpkg allows a user to read any package file once it has been extracted. “Right away this gives us arbitrary file reads on the server by creating a symlink… and browsing through the directory with the web interface,” he said.

After reporting this bug to the unpkg maintainer, Justicz said he started looking for ways to extract files into a directory pointed to by a symlink that has already been extracted.

While Justicz “figured there would be no way this would work with any mature tar implementation”, he realized that unpkg doesn’t use the open-source GNU Tar software, but a package called tar-fs, which, he said, “happily extracts this archive”.

“Since we can write (and overwrite) files anywhere that the webserver user is able to do so, we can overwrite files in the directories set aside for other packages,” the researcher noted.

“To test this out, I made two versions of a package, and had the second version overwrite files in the first (it worked).”

Justicz added: “After reporting this variant of the original bug to the tar-fs maintainer, he got back to me the next morning sounding a little worried. Surprisingly, node-tar, a much more popular tar library, was vulnerable to the hardlink variant.”

While the researcher said the bugs were quickly patched, this latest disclosure highlights the recurring problems that can arise through software dependency chains.

Had this vulnerability been discovered by an attacker, every site using the unpkg CDN could have been compromised.

Offering advice to site admins, Justicz said: “Either host files yourself or use subresource integrity. It lets you pin the cryptographic has of whatever file you’re trying to load, protecting you from attacks like this in modern browsers.”