GuardDog is vulnerable to arbitrary file write. The vulnerability exists due to the unsafe extracting using the shutil.unpack_archive
functionality in the download_compressed
function of package_scanner.py
, allowing an attacker to write arbitrary files outside the destination directory through a malicious tarball archive.
github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158
github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L158
github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c
github.com/DataDog/guarddog/pull/102
github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v