[Pkg-javascript-devel] Bug#864239: node-rimraf: can remove files outside the intended tree

[Jeff Epler]

Package: node-rimraf
Version: 2.5.4-2
Severity: important
Tags: upstream

Dear Maintainer,

I was inspecting the source to node-rimraf.  I believe the code in node-rimraf
is unsafe if an adversary can manipulate the contents of the directory tree
to be removed, making it unsuitable for use on multiuser machines.

In particular, the adversary can cause files outside of the tree to be 
removed by the following sequence of manipulations:

rimraf                              adversary
                                    places a file
lstat() -> [not a directory]
                                    replaces file with non-empty directory
unlink() -> EISDIR
rmdir() -> ENOTEMPTY
                                    replaces directory with symlink
rmkids() -> readdir() [note: readdir follows symlink]

At this point, rimraf starts merrily removing stuff outside the intended 
tree.

To be safe, careful use of POSIX *at calls (openat, etc) with 
appropriate flags (O_NOFOLLOW) is necessary but these are probably not 
exposed in the node ecosystem.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-rt-amd64 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages node-rimraf depends on:
ii  node-glob  7.1.1-1
ii  nodejs     4.8.2~dfsg-1

Versions of packages node-rimraf recommends:
ii  node-graceful-fs  4.1.11-1

node-rimraf suggests no packages.

-- no debconf information