Skip to content

Comments

CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal#648

Open
sbouchet wants to merge 7 commits intoche-incubator:mainfrom
sbouchet:CVE-2026-24842
Open

CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal#648
sbouchet wants to merge 7 commits intoche-incubator:mainfrom
sbouchet:CVE-2026-24842

Conversation

@sbouchet
Copy link
Collaborator

@sbouchet sbouchet commented Feb 4, 2026
edited
Loading

What does this PR do?

This PR fixes GHSA-34x7-hfp2-rc4v : Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal.
tar version is updated to 7.5.7

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-10039

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@github-actions
Copy link

github-actions bot commented Feb 4, 2026
edited
Loading

Click here to review and test in web IDE: Contribute

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

3 similar comments
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

@sbouchet sbouchet marked this pull request as ready for review February 5, 2026 13:55
RomanNikitenko
RomanNikitenko approved these changes Feb 13, 2026
View reviewed changes
Copy link
Collaborator

@RomanNikitenko RomanNikitenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is fixed from the security point of view.

I just noticed that gulp-untar@0.0.7 requires tar@2.2.2,
but we override it to 7.5.7

2.2.2 => 7.5.7 = too big difference = some risk

At the same time gulp-untar@0.0.7 was published 8 years ago, so no chance to get it updated to fix the problem. So, only replacing gulp-untar by another dependency could be an alternative solution...

@sbouchet
Copy link
Collaborator Author

sbouchet commented Feb 17, 2026

The problem is fixed from the security point of view.

I just noticed that gulp-untar@0.0.7 requires tar@2.2.2, but we override it to 7.5.7

2.2.2 => 7.5.7 = too big difference = some risk

At the same time gulp-untar@0.0.7 was published 8 years ago, so no chance to get it updated to fix the problem. So, only replacing gulp-untar by another dependency could be an alternative solution...

one possible solution might be to use https://www.npmjs.com/package/gulp-decompress

@RomanNikitenko
Copy link
Collaborator

RomanNikitenko commented Feb 18, 2026

@sbouchet
I haven’t looked into this in depth and I’m not sure how many changes are needed, so I’ll rely on your expertise.

@sbouchet
CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite
5f249b4 
via Hardlink Path Traversal

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet
added rebase rules
eac250e 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet
added rebase rules
b898b1f 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet
replace gulp-untar
64fc66e 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet
Copy link
Collaborator Author

sbouchet commented Feb 18, 2026
edited
Loading

npm audit says :

tar  <7.5.8
Severity: high
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
fix available via `npm audit fix --force`
Will install @vscode/sqlite3@5.1.12-vscode, which is a breaking change
node_modules/tar
  @vscode/sqlite3  5.1.2-vscode || 5.1.3-vscode - 5.1.11-vscode
  Depends on vulnerable versions of tar
  node_modules/@vscode/sqlite3

so i'll rework this PR to bump to at least 7.5.8
advisory GHSA-83g3-92jg-28cx

@sbouchet
bump tar to 7.5.8 to fix GHSA-83g3-92jg-28cx
43252f8 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet
bump tar to 7.5.8 to fix GHSA-83g3-92jg-28cx
ca24653 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions
Copy link

github-actions bot commented Feb 18, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

@sbouchet
Copy link
Collaborator Author

sbouchet commented Feb 18, 2026

forgot to add rebase rules for source code. please wait for PR to be ready for review

@sbouchet sbouchet marked this pull request as draft February 18, 2026 15:28
@sbouchet
added rebase rules
fa8cffb 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet sbouchet marked this pull request as ready for review February 18, 2026 16:59
@github-actions
Copy link

github-actions bot commented Feb 19, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RomanNikitenko RomanNikitenko RomanNikitenko approved these changes

@rgrunber rgrunber Awaiting requested review from rgrunber rgrunber is a code owner

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sbouchet @RomanNikitenko