Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true
Vulnerability Description
Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue.
CVSS Information
N/A
Vulnerability Type
CWE-61
Vulnerability Title
Copier 安全漏洞
Vulnerability Description
Copier是Copier开源的一个用于渲染项目模板的库。 Copier 9.11.2之前版本存在安全漏洞,该漏洞源于使用符号链接和特定设置可能导致写入目标路径之外的任意目录。
CVSS Information
N/A
Vulnerability Type
N/A