GuardDog is vulnerable to path traversal. The vulnerability exists due to the unsafe extraction using the tarfile.TarFile.extractall
functionality in the scan_local
function of package_scanner.py
, which allows an attacker to write arbitrary files outside the destination directory through a malicious .tar.gz
file.
github.com/DataDog/guarddog/commit/98af5c8c1e9c15fa888c900252e76116b0ec25d1
github.com/DataDog/guarddog/pull/89
github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306
github.com/DataDog/guarddog/releases/tag/v0.1.5
github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq