Skip to content

Commit 8f7c7bf

Browse files
1 parent de8e534 commit 8f7c7bf

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-wx3m-whqv-xv47",
4+
"modified": "2026-06-05T19:43:51Z",
5+
"published": "2026-06-05T19:43:51Z",
6+
"aliases": [],
7+
"summary": "skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion",
8+
"details": "## Impact\n\n`skillctl` 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to:\n\n1. **Exfiltrate arbitrary files on the operator's machine** by publishing a malicious skills library containing a symlink inside a skill folder (e.g. `niania → /home/user/.aws/credentials`). The symlink fell through `entry.file_type().is_dir()` in `fs_util::copy_dir_all`, was dereferenced by `fs::copy`, and the target's content was copied into the project. A subsequent `skillctl push` would have published the secret to the (possibly public) library — what the reporter called \"round-trip path exfiltration\".\n\n2. **Delete arbitrary directories outside the project or library root** by crafting a `.skills.toml` with a malicious `destination` or `source_path` field. Both were deserialized as `PathBuf` with zero validation. Because `Path::join` lets an absolute right-hand side replace the base, `destination = \"/home/user/.ssh\"` made `cwd.join(...)` resolve outside the project; `..` traversal was equally unguarded. Downstream `remove_dir_all` in `replace_folder_contents` then wiped arbitrary writable directories on `skillctl pull` / `push` / `detect`. `.skills.toml` is the exact kind of file teams commit and exchange via PR; a single merged malicious PR was sufficient to weaponise the maintainer's next `skillctl pull --all`.\n\n3. **`detect --target` accepted `..` traversal**, even though absolute paths were rejected. `--target ../../../etc` would have written outside the library root.\n\n4. **Fork-name validation accepted `.` and `..` literally**, so a fork named `..` would have produced a `Path::join` resolving to the parent directory and `fs::rename` could have clobbered it.\n\n## Patches\n\nFixed in [v0.1.2](https://github.com/umanio-agency/skillctl/releases/tag/v0.1.2):\n\n- Symlinks inside skill folders are hard-rejected at copy time (both top-level source and any descendant entry).\n- `.skills.toml` `destination` and `source_path` are validated at load time and reject absolute paths, `..` components, and Windows-prefix components.\n- A new `path_safety::safe_join` helper is wired (defense-in-depth) at every destructive call site in `pull.rs` / `push.rs`.\n- `detect --target` and the interactive custom-path prompt go through the same `validate_relative_subpath` helper.\n- `validate_fork_name` explicitly rejects `.` and `..`.\n\nThreat-model note: the fix is purely lexical (component-level) plus an explicit symlink check at copy time. No filesystem `canonicalize` calls were added, avoiding TOCTOU windows.\n\n## Credit\n\nReported privately on 2026-05-19 by **firebaguette** via the Umanio Discord (the reporter declined GitHub credit, so this advisory carries no structured credits field).",
9+
"severity": [],
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "crates.io",
14+
"name": "skillctl"
15+
},
16+
"ranges": [
17+
{
18+
"type": "ECOSYSTEM",
19+
"events": [
20+
{
21+
"introduced": "0"
22+
},
23+
{
24+
"fixed": "0.1.2"
25+
}
26+
]
27+
}
28+
]
29+
}
30+
],
31+
"references": [
32+
{
33+
"type": "WEB",
34+
"url": "https://github.com/umanio-agency/skillctl/security/advisories/GHSA-wx3m-whqv-xv47"
35+
},
36+
{
37+
"type": "WEB",
38+
"url": "https://github.com/umanio-agency/skillctl/commit/827fff5c0698dd9e48e777d5907cf7bc19b91aca"
39+
},
40+
{
41+
"type": "PACKAGE",
42+
"url": "https://github.com/umanio-agency/skillctl"
43+
},
44+
{
45+
"type": "WEB",
46+
"url": "https://github.com/umanio-agency/skillctl/releases/tag/v0.1.2"
47+
}
48+
],
49+
"database_specific": {
50+
"cwe_ids": [
51+
"CWE-22",
52+
"CWE-61"
53+
],
54+
"severity": "HIGH",
55+
"github_reviewed": true,
56+
"github_reviewed_at": "2026-06-05T19:43:51Z",
57+
"nvd_published_at": null
58+
}
59+
}

0 commit comments

Comments
 (0)