4.1.2

This version contains a patch for a security vulnerability in ingest-file, the component that processes files uploaded to Aleph. We recommend that you update Aleph instances you operate to use the latest patched release of ingest-file.

Please find detailed information about the patched vulnerability below.

How to update

If you operate Aleph using Docker Compose, update the ingest-file service in your Docker Compose configuration to use the image ghcr.io/alephdata/ingest-file:4.1.2.

If you operate Aleph using the Helm chart, update the aleph.ingestfile.image.tag value to 4.1.2.

Summary

Previous versions of ingest-file handled 7zip archives containing symbolic links insecurely. When processing 7zip archives, ingest-file followed symbolic links even if they were targeting files outside of the archive. A maliciously crafted archive would allow an attacker to access arbitrary files in the ingest-file container.

Depending on the exact configuration and deployment method, this might include:

• Access to files uploaded to Aleph if using the file archive (rather than object storage such as S3 or Google Cloud Storage) as the file archive is mounted into the container.
• Access to environment variables.
• Access to secrets mounted into the container.

Affected versions

All versions of ingest-file prior to 4.1.2 (this release) are affected.

Solution

ingest-file 4.1.2 contains a patch for the security vulnerability. 7zip archives containing symbolic links are now validated and archives containing symbolic links pointing to files outside of the archive are rejected.

Credits

OCCRP would like to thank everyone who identified this vulnerability and contributed to its resolution:

• Responsibly disclosed by InterSecLab
• Patch by Alex Ștefănescu
• Research, Testing, Validation: Alex Ștefănescu, Simon Wörpel, Jan Strozyk, Friedrich Lindenberg