Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In `@backstage/techdocs-common` versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for `docs_dir` in `mkdocs.yml`. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that an attacker would need access to modify the `mkdocs.yml` in the documentation source code, and would also need access to the TechDocs backend API. The vulnerability is patched in the `0.6.3` release of `@backstage/techdocs-common`.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6 | third party advisory |
| https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208 | third party advisory patch |
| https://github.com/backstage/backstage/releases/tag/release-2021-05-27 | third party advisory release notes |