Affected versions
Symfony UX Toolkit versions >=2.32.0<2.36.1, >=3.0.0<3.2.0 are affected by this security issue.
The issue has been fixed in Symfony UX Toolkit 2.36.1, 3.2.0.
Description
The ux:install console command installs files from a recipe kit by
copying paths listed in a copy-files map. The only guard against
malicious paths was Path::isRelative(), which returns true for paths
like ../../../etc. Path::join() then resolves the .. segments
without complaint, so the final path can escape the intended directory
entirely. A crafted or compromised kit can therefore write attacker-controlled
content to arbitrary locations on the developer's machine or CI runner.
Because the copy operation creates missing parent directories and can
overwrite existing files silently (with --force or in non-interactive
environments), an attacker who controls a kit can overwrite files such as
controllers, git hooks, or .env to achieve code execution. The source
side of copy-files is symmetrically affected, enabling local file reads
outside the recipe directory.
Resolution
The fix introduces an Assert::pathDoesNotEscapeDirectory() helper that
rejects any copy-files source or destination path containing a ..
segment, regardless of whether / or \ is used as the separator. This
check is enforced in both RecipeManifest (which also guards the source
Finder) and File. As a last line of defense, the installer re-verifies
the fully resolved paths with Path::isBasePath() immediately before each
filesystem read and write.
Credits
We would like to thank Pascal Cescon for discovering the issue and Hugo Alliaume for providing the fix.