CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-322x-v876-g883: @asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write

high
Summary The matchFileSnapshot function in src/assertions/snapshots.ts accepted a filePath parameter with zero validation. When snapshot update mode was active (UPDATE_SNAPSHOTS=1 or setUpdateMode('all')), an attacker who controls test input could write arbitrary content to any filesystem path the process has write access to, including creating intermediate directories. Affected Code File: src/assertions/snapshots.ts, lines 732-769 export function matchFileSnapshot(actual: unknown, filePath: string): void { const serialized = serialize(actual); const mode = resolveUpdateMode(); const fileExists = fs.existsSync(filePath); if (!fileExists) { if (mode === 'all' || mode === 'new') { const dir = path.dirname(filePath); if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }); } fs.writeFileSync(filePath, serialized, 'utf-8'); The filePath flows from expect(value).toMatchFileSnapshot(filePath) at index.ts:1033-1035 with no sanitization, no check that the path is within an expected directory, and no symlink resolution. Proof of Concept import { expect, setUpdateMode } from '@asymmetric-effort/nogginlessdom'; setUpdateMode('all'); // Writes arbitrary content to any writable path expect('malicious content').toMatchFileSnapshot('/tmp/exploit/payload.txt'); // Path traversal via relative components expect('data').toMatchFileSnapshot('../../../tmp/evil.txt'); // In CI environments, could overwrite CI config expect('injected step').toMatchFileSnapshot('/home/runner/.github/workflows/backdoor.yml'); Impact In CI/CD environments where test files may come from untrusted pull requests, this allows writing to any writable filesystem location with directory creation. An attacker could overwrite configuration files, inject code into build artifacts, or modify CI pipeline definitions. Fix Fixed in commit https://github.com/asymmetric-effort/NogginL

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-322x-v876-g883

More from GitHub Security Advisories