GHSA-322X-V876-G883

Vulnerability from github – Published: 2026-07-02 20:19 – Updated: 2026-07-02 20:19
VLAI
Summary
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
Details

Summary

The matchFileSnapshot function in src/assertions/snapshots.ts accepted a filePath parameter with zero validation. When snapshot update mode was active (UPDATE_SNAPSHOTS=1 or setUpdateMode('all')), an attacker who controls test input could write arbitrary content to any filesystem path the process has write access to, including creating intermediate directories.

Affected Code

File: src/assertions/snapshots.ts, lines 732-769

export function matchFileSnapshot(actual: unknown, filePath: string): void {
  const serialized = serialize(actual);
  const mode = resolveUpdateMode();
  const fileExists = fs.existsSync(filePath);

  if (!fileExists) {
    if (mode === 'all' || mode === 'new') {
      const dir = path.dirname(filePath);
      if (!fs.existsSync(dir)) {
        fs.mkdirSync(dir, { recursive: true });
      }
      fs.writeFileSync(filePath, serialized, 'utf-8');

The filePath flows from expect(value).toMatchFileSnapshot(filePath) at index.ts:1033-1035 with no sanitization, no check that the path is within an expected directory, and no symlink resolution.

Proof of Concept

import { expect, setUpdateMode } from '@asymmetric-effort/nogginlessdom';

setUpdateMode('all');

// Writes arbitrary content to any writable path
expect('malicious content').toMatchFileSnapshot('/tmp/exploit/payload.txt');

// Path traversal via relative components
expect('data').toMatchFileSnapshot('../../../tmp/evil.txt');

// In CI environments, could overwrite CI config
expect('injected step').toMatchFileSnapshot('/home/runner/.github/workflows/backdoor.yml');

Impact

In CI/CD environments where test files may come from untrusted pull requests, this allows writing to any writable filesystem location with directory creation. An attacker could overwrite configuration files, inject code into build artifacts, or modify CI pipeline definitions.

Fix

Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/785e6ac6e124d1a89b3ccf40bbd75fc8e4cb215d on main. The matchFileSnapshot function now validates that the resolved file path is within the project root directory (defaults to process.cwd(), configurable via optional projectRoot parameter). Paths that resolve outside the project directory are rejected with a descriptive error.

export function matchFileSnapshot(
  actual: unknown,
  filePath: string,
  projectRoot?: string,
): void {
  const root = projectRoot ?? process.cwd();
  const resolved = path.resolve(root, filePath);
  if (!resolved.startsWith(root + path.sep) && resolved !== root) {
    throw new Error(
      `File snapshot path must be within the project directory: ${filePath}`,
    );
  }
  // ... all subsequent file I/O uses `resolved` instead of `filePath`
}
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@asymmetric-effort/nogginlessdom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:19:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `matchFileSnapshot` function in `src/assertions/snapshots.ts` accepted a `filePath` parameter with zero validation. When snapshot update mode was active (`UPDATE_SNAPSHOTS=1` or `setUpdateMode(\u0027all\u0027)`), an attacker who controls test input could write arbitrary content to any filesystem path the process has write access to, including creating intermediate directories.\n\n## Affected Code\n\n**File:** `src/assertions/snapshots.ts`, lines 732-769\n\n```typescript\nexport function matchFileSnapshot(actual: unknown, filePath: string): void {\n  const serialized = serialize(actual);\n  const mode = resolveUpdateMode();\n  const fileExists = fs.existsSync(filePath);\n\n  if (!fileExists) {\n    if (mode === \u0027all\u0027 || mode === \u0027new\u0027) {\n      const dir = path.dirname(filePath);\n      if (!fs.existsSync(dir)) {\n        fs.mkdirSync(dir, { recursive: true });\n      }\n      fs.writeFileSync(filePath, serialized, \u0027utf-8\u0027);\n```\n\nThe `filePath` flows from `expect(value).toMatchFileSnapshot(filePath)` at `index.ts:1033-1035` with no sanitization, no check that the path is within an expected directory, and no symlink resolution.\n\n## Proof of Concept\n\n```typescript\nimport { expect, setUpdateMode } from \u0027@asymmetric-effort/nogginlessdom\u0027;\n\nsetUpdateMode(\u0027all\u0027);\n\n// Writes arbitrary content to any writable path\nexpect(\u0027malicious content\u0027).toMatchFileSnapshot(\u0027/tmp/exploit/payload.txt\u0027);\n\n// Path traversal via relative components\nexpect(\u0027data\u0027).toMatchFileSnapshot(\u0027../../../tmp/evil.txt\u0027);\n\n// In CI environments, could overwrite CI config\nexpect(\u0027injected step\u0027).toMatchFileSnapshot(\u0027/home/runner/.github/workflows/backdoor.yml\u0027);\n```\n\n## Impact\n\nIn CI/CD environments where test files may come from untrusted pull requests, this allows writing to any writable filesystem location with directory creation. An attacker could overwrite configuration files, inject code into build artifacts, or modify CI pipeline definitions.\n\n## Fix\n\nFixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/785e6ac6e124d1a89b3ccf40bbd75fc8e4cb215d on `main`. The `matchFileSnapshot` function now validates that the resolved file path is within the project root directory (defaults to `process.cwd()`, configurable via optional `projectRoot` parameter). Paths that resolve outside the project directory are rejected with a descriptive error.\n\n```typescript\nexport function matchFileSnapshot(\n  actual: unknown,\n  filePath: string,\n  projectRoot?: string,\n): void {\n  const root = projectRoot ?? process.cwd();\n  const resolved = path.resolve(root, filePath);\n  if (!resolved.startsWith(root + path.sep) \u0026\u0026 resolved !== root) {\n    throw new Error(\n      `File snapshot path must be within the project directory: ${filePath}`,\n    );\n  }\n  // ... all subsequent file I/O uses `resolved` instead of `filePath`\n}\n```",
  "id": "GHSA-322x-v876-g883",
  "modified": "2026-07-02T20:19:20Z",
  "published": "2026-07-02T20:19:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/NogginLessDom/security/advisories/GHSA-322x-v876-g883"
    },
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/NogginLessDom/commit/785e6ac6e124d1a89b3ccf40bbd75fc8e4cb215d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/asymmetric-effort/NogginLessDom"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@asymmetric-effort/nogginlessdom\u0027s Path Traversal in matchFileSnapshot allows arbitrary file write"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…