Path traversal for local publishers in TechDocs backend

Impact

A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.

This vulnerability is mitigated by the fact that the Software Catalog must be configured with non-standard field format validators and/or non-standard entity policies.

Patches

Those affected are advised to upgrade to @backstage/plugin-techdocs-node version 1.1.2 or higher.

Workarounds

If patching or upgrading is not possible, it would be sufficient to update any custom Catalog field format validators and/or custom entity policies to disallow entity names, kinds, and namespaces containing ..

<!--

References

todo: Link to blog post / published report. -->

For more information

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our chat, linked to in the Backstage README

Published: Jun 17, 2022
Updated: Apr 14, 2023
GHSA: GHSA-4jqc-jvh2-pxg9
Severity: Medium
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
@backstage / plugin-techdocs-node	-	1.1.2
@backstage / techdocs-common	-	0.11.16