CVE-2023-22726

Name of the Vulnerable Software and Affected Versions act versions prior to 0.2.40

Description The artifact server in act does not sanitize path inputs, allowing an attacker to download and overwrite arbitrary files on the host from a Github Action, potentially leading to privilege escalation. The "/upload" endpoint is vulnerable to path traversal as the filepath is user-controlled and flows into os.Mkdir and os.Open. The "/artifact" endpoint is also vulnerable to path traversal as the path variable is user-controlled and the specified file is returned by the server.

Recommendations For versions prior to 0.2.40, upgrade to version 0.2.40 or later. As a temporary workaround, consider using ValidPath() to check against path traversal or clean the user-provided paths manually during implementation of Open and OpenAtEnd for FS. Avoid using the artifact server with the --artifact-server-path parameter until the issue is resolved.