Time of Check Time of Use (TOCTOU) The advisory has been revoked - it doesn't affect any version of package chownr Open this link in a new tab
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-CHOWNR-73502
- published 11 Jan 2019
- disclosed 31 Jul 2018
- credit Jeff Epler
Amendment
This was deemed not a vulnerability.
Overview
chownr is a package that takes the same arguments as fs.chown()
Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU).
Information: Maintainers Advice
There is no readdir
that will succeed on actual directories, and fail on symlinks to directories.
The basic flow would be:
- Read a directory, get a list of items
- One of those items is a directory
- After the initial readdir (or readdir+lstat), but before the directory traversal, an attacker moves the directory aside and replaces it with a symbolic link to some other directory.
- The script will proceed to change ownership of all items in the symlink target directory.
There is no readdir(3)
call that will succeed on a "real" directory, but fail on a symbolic link to a directory. What that means is that there is no atomic way to verify that, at the exact time of reading a directory, it's a real directory and not a symlink to somewhere else.
That being the case there will always be a TOCTOU issue for any recursive filesystem operation that traverses directories making changes at each level.