GMS-2022-7821: GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package

December 5, 2022

Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten.

References

github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py
github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c
github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v
github.com/advisories/GHSA-78m5-jpmf-ch7v

Code Behaviors & Features

Detect and mitigate GMS-2022-7821 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →