BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
Summary
BentoML's bentoml build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.
If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as loot.txt -> /tmp/outside-marker.txt or a link to a more sensitive local file. When bentoml build runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows.
Details
The vulnerable code walks files under the build context and copies each matched entry into the Bento source directory:
for root, _, files in os.walk(ctx_path):
for f in files:
dir_path = os.path.relpath(root, ctx_path)
path = os.path.join(dir_path, f).replace(os.sep, "/")
if specs.includes(path):
src_file = ctx_path.joinpath(path)
dst_file = target_fs.joinpath(dest_path)
shutil.copy(src_file, dst_file)
There is no validation that the resolved path of src_file remains inside ctx_path before shutil.copy dereferences the source path. As a result, a repository-controlled symlink can cross the trust boundary from attacker-controlled repository content to developer/CI host filesystem during the build process.
This is a build-time path traversal / symlink traversal issue in the packaging feature, not a runtime API issue. The resulting Bento may later be exported, pushed to remote storage, or converted into a container image, which amplifies the leakage impact.
PoC
The issue was verified in WSL against BentoML 1.4.38. The following script reproduces the vulnerability by using a harmless marker file outside the build directory.
mkdir -p /tmp/bento-symlink-poc
cd /tmp/bento-symlink-poc
printf 'BENTOML_SYMLINK_POC_123456\n' > /tmp/outside-marker.txt
cat > service.py bentofile.yaml