🔒 Fixed arbitrary file read via symlinks in content import

refs TryGhost/Product#3726 refs GHSA-9c9v-w225-v5rg - credits to https://github.com/ixSly
TryGhost · Aug 15, 2023 · 690fbf3 · 690fbf3
1 parent 6694456
commit 690fbf3
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 10 deletions.
diff --git a/ghost/core/package.json b/ghost/core/package.json
@@ -160,7 +160,7 @@
     "@tryghost/verification-trigger": "0.0.0",
     "@tryghost/version": "0.1.22",
     "@tryghost/webmentions": "0.0.0",
-    "@tryghost/zip": "1.1.34",
+    "@tryghost/zip": "1.1.37",
     "amperize": "0.6.1",
     "analytics-node": "6.2.0",
     "bluebird": "3.7.2",

diff --git a/ghost/core/test/regression/api/admin/db.test.js b/ghost/core/test/regression/api/admin/db.test.js
@@ -377,6 +377,15 @@ describe('DB API', function () {
         yearlyPrice.get('stripe_price_id').should.equal('price_d04baebb73');
         yearlyPrice.get('stripe_product_id').should.equal('prod_d2c1708c21');
     });
+
+    it('Can not import a ZIP-file with symlinks', async function () {
+        await request.post(localUtils.API.getApiQuery('db/'))
+            .set('Origin', config.get('url'))
+            .set('Accept', 'application/json')
+            .expect('Content-Type', /json/)
+            .attach('importfile', path.join(__dirname, '/../../../utils/fixtures/import/symlinks.zip'))
+            .expect(415);
+    });
 });
 
 // The following tests will create a new clean database for every test

diff --git a/ghost/core/test/utils/fixtures/import/symlinks.zip b/ghost/core/test/utils/fixtures/import/symlinks.zip
diff --git a/yarn.lock b/yarn.lock
@@ -7173,15 +7173,6 @@
   dependencies:
     p-wait-for "3.2.0"
 
-"@tryghost/zip@1.1.34":
-  version "1.1.34"
-  resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.34.tgz#c8ab1ac3bb5bc780f29c63723d3933f345f0ec65"
-  integrity sha512-tfv1Lcd46/W0AkbBj/ttZLCdqI1LQppvkVQ7l5+gSx2ZOHqnZmkoKwMOB0J/LxEEC1TzhqrW0Vzx+ZYtoPACzA==
-  dependencies:
-    archiver "^5.0.0"
-    extract-zip "^2.0.1"
-    fs-extra "^10.0.0"
-
 "@tryghost/zip@1.1.35":
   version "1.1.35"
   resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.35.tgz#654239d0b48f2baac5679cec2930937b825c2f84"
@@ -7191,6 +7182,16 @@
     extract-zip "^2.0.1"
     fs-extra "^10.0.0"
 
+"@tryghost/zip@1.1.37":
+  version "1.1.37"
+  resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.37.tgz#55ca424a42615d0e53aa12b2b108e7f20ac36b42"
+  integrity sha512-L+MKGsbIgHgEeoiq6lLpirNflp8CX89xDSwBRucHR/T+QLwVgnof+aiTTuaTrrF+pOWetBDTvB/gN5t94+k6hA==
+  dependencies:
+    "@tryghost/errors" "^1.2.26"
+    archiver "^5.0.0"
+    extract-zip "^2.0.1"
+    fs-extra "^11.0.0"
+
 "@trysound/sax@0.2.0":
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/@trysound/sax/-/sax-0.2.0.tgz#cccaab758af56761eb7bf37af6f03f326dd798ad"