CVE-2026-32771

Description

The `sanitizeArchivePath` function in `pkg/extract/extract.go` (lines 248-254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory when using the `extractor` CLI tool or the `extract.DumpOTelCollector` library function. ## Vulnerable Code File: `pkg/extract/extract.go`, lines 248-254 ```go func sanitizeArchivePath(d, t string) (v string, err error) { v = filepath.Join(d, t) if strings.HasPrefix(v, filepath.Clean(d)) { // ← missing trailing separator return v, nil } return "", fmt.Errorf("filepath is tainted: %s", t) } ``` The function is called at line 219 inside `untar`, which is invoked by `copyFromPod` (line 205) during the Cold Extract data dump workflow. ## Root Cause `strings.HasPrefix(v, filepath.Clean(d))` does not append a trailing `/` to the directory prefix, causing a **directory name prefix collision**. If the destination is `/home/user/extract-output` and a tar entry is named `../extract-outputevil/pwned`, the joined path `/home/user/extract-outputevil/pwned` passes the prefix check - it starts with `/home/user/extract-output` - even though it is entirely outside the intended directory. ## Steps to Reproduce 1. **Deploy the monitoring stack** with `ColdExtract: true`. The OTEL Collector begins writing signal data (`otel_traces`, `otel_metrics`, `otel_logs`) to the shared PVC. 2. **Place the PoC tar on the PVC.** Any pod with write access to the `ReadWriteMany` PVC (or the compromised OTEL Collector itself) copies a `poc-path-traversal.tar` into the `/data/collector` mount path. The archive contains three real-looking OTLP telemetry files alongside two crafted entries with path-traversal names. 3. **Run the extractor against the namespace:** ``` extractor \ --namespace monitoring \ --pvc-name <signals-pvc-name> \ --directory /home/user/extract-output ``` 4. **Observe the bypass.** `untar` processes the tar stream. For the malicious entries: ``` // entry name: ../extract-outputevil/poc-proof.txt filepath.Join("/home/user/extract-output", "../extract-outputevil/poc-proof.txt") => "/home/user/extract-outputevil/poc-proof.txt" strings.HasPrefix("/home/user/extract-outputevil/poc-proof.txt", "/home/user/extract-output") => true // BUG: prefix collision; file lands OUTSIDE target dir ``` Both malicious entries are written outside `/home/user/extract-output/`. The three legitimate OTLP files land correctly inside it. ## Impact Successful exploitation gives an attacker arbitrary file write on the machine running the extractor. Real-world primitives include: - Overwriting `~/.bashrc` / `~/.zshrc` / `~/.profile` for RCE on next shell login - Appending to `~/.ssh/authorized_keys` for persistent SSH backdoor - Dropping a malicious entry into `~/.kube/config` to hijack cluster access - Writing crontab entries for persistent scheduled execution The attack surface is widened by the default `ReadWriteMany` PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload - not just the OTEL Collector itself.

Priority Score