@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

在文件访问前对链接解析不恰当(链接跟随)

Backstage 安全漏洞

Backstage是Backstage开源的一个应用软件。后台是一个开放的平台,用于构建开发者门户。 Backstage存在安全漏洞，该漏洞源于resolveSafeChildPath实用函数未能正确验证符号链接链和悬空符号链接，可能导致绕过路径验证。

N/A

N/A