Security Report
I've identified two unsafe tarfile.extractall() calls that enable arbitrary file write on compute nodes.
Occurrence 1: harness/determined/exec/prep_container.py lines 34-40 validates tar member names via getnames() but not symlink targets. A tar with a symlink pointing outside the extraction directory passes the name check, but extractall() follows the symlink to write files to the target. The tarball is also extracted twice (lines 39-40).
Occurrence 2: harness/determined/common/experimental/checkpoint/_checkpoint.py line 332 calls extractall() with zero validation — no name check, no symlink check, no filter='data'.
Neither location uses Python 3.12's extraction_filter.
I have a full writeup with working PoC, root cause analysis, and suggested fix. I'd prefer to share exploitation details privately.
Could you please enable GitHub Private Vulnerability Reporting on this repo? Or I can send details to security@determined.ai.
Affected version: 0.38.1 (latest)
Security Report
I've identified two unsafe
tarfile.extractall()calls that enable arbitrary file write on compute nodes.Occurrence 1:
harness/determined/exec/prep_container.pylines 34-40 validates tar member names viagetnames()but not symlink targets. A tar with a symlink pointing outside the extraction directory passes the name check, butextractall()follows the symlink to write files to the target. The tarball is also extracted twice (lines 39-40).Occurrence 2:
harness/determined/common/experimental/checkpoint/_checkpoint.pyline 332 callsextractall()with zero validation — no name check, no symlink check, nofilter='data'.Neither location uses Python 3.12's
extraction_filter.I have a full writeup with working PoC, root cause analysis, and suggested fix. I'd prefer to share exploitation details privately.
Could you please enable GitHub Private Vulnerability Reporting on this repo? Or I can send details to security@determined.ai.
Affected version: 0.38.1 (latest)