Symbolic link attack within coverage directory can overwrite files elsewhere

[h3xx]

If an existing symbolic link exists inside the coverage directory, it can overwrite arbitrary files elsewhere on the system.

This is also true for hard-linked files.

This library MUST remove the files in the coverage before attempting to overwrite them in order to fix this security issue.

Steps to repro:

echo "Don't delete me!" >~/super-important-file.txt

# Set up a rails project with SimpleCov coverage testing
rails new --skip-bootsnap temp
cd temp
bundle add simplecov
printf 'require "simplecov"\nSimpleCov.start "rails"\n' >>test/test_helper.rb

# Set up our symlink attack vector
mkdir -p coverage
ln -s ~/super-important-file.txt coverage/index.html

# Run the test -- this OVERWRITES ~/super-important-file.txt
bin/rails test
cat ~/super-important-file.txt
# Our file has been replaced with HTML :-(

This is only an example, but imagine if you were running tests as root.

Related issue: #133 -- when this one is fixed, that one will also likely be fixed.

[PragTob]

Hey, thanks for the report.

I'm not clear how this is an exploitable fault on SimpleCov's side. For this to be an exploitable vulnerability someone would already need to have enough access to your system to create a symlink in a directory. SimpleCov also isn't run in production, but in development or on a CI server.

If someone had write access to files on a computer where SimpleCov is running they could rewrite/append to any given ruby file and modify it to instead arbitrary code execution.

What am I missing?