mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-07-01 21:28:10 +00:00
`_safe_extractall` in `crewai.experimental.skills.cache` (the Python < 3.12
fallback used by `SkillCacheManager.store` to unpack registry-downloaded skill
tarballs into `~/.crewai/skills/`) validated each member's *name* against the
destination but never validated symlink/hardlink *targets*. A malicious skill
archive could plant a symlink escaping the destination (e.g.
`link -> /home/user/.ssh`) followed by a regular member written through it
(`link/authorized_keys`), escaping `dest` even though every member name
resolves inside it — the classic symlink-extraction traversal.
This is the same bug fixed in 32d2da1 for the CLI's `_safe_extractall`
(`crewai_cli.experimental.skills.main`); the duplicate copy in the core
library's skill cache was missed. The 3.12+ path
(`extractall(..., filter="data")`) already blocks this; the fallback now
mirrors it by rejecting absolute link targets and any link target that
resolves outside the destination directory.
Adds regression tests covering absolute and relative escaping symlinks plus
benign in-tree symlinks and ordinary archives.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>