symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest
🔗 CVE IDs covered (1)
📋 Description
Description
The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative(), which returns true for paths like ../../../etc. Path::join() then resolves the .. segments without complaint, so the final path can escape the intended directory entirely. A crafted or compromised kit can therefore write attacker-controlled content to arbitrary locations on the developer's machine or CI runner.
Because the copy operation creates missing parent directories and can overwrite existing files silently (with --force or in non-interactive environments), an attacker who controls a kit can overwrite files such as controllers, git hooks, or .env to achieve code execution. The source side of copy-files is symmetrically affected, enabling local file reads outside the recipe directory.
Resolution
The fix introduces an Assert::pathDoesNotEscapeDirectory() helper that rejects any copy-files source or destination path containing a .. segment, regardless of whether / or \ is used as the separator. This check is enforced in both RecipeManifest (which also guards the source Finder) and File. As a last line of defense, the installer re-verifies the fully resolved paths with Path::isBasePath() immediately before each filesystem read and write.
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
🎯 Affected products2
- composer/symfony/ux-toolkit:>= 2.32.0, < 2.36.1
- composer/symfony/ux-toolkit:>= 3.0.0, < 3.2.0