CWE-22/CWE-73 in permutation cache path: APEX_ASP_CACHE_DIR controls write destination

[BeforeGodKnows]

Affected locations:

• apex/apex/contrib/sparsity/permutation_search_kernels/exhaustive_search.py:77
• apex/apex/contrib/sparsity/permutation_search_kernels/exhaustive_search.py:91

Vulnerability Details:

• In generate_all_unique_combinations(), the cache directory is read from APEX_ASP_CACHE_DIR and then used directly in np.save(cache_file_path, ...).
• There is no base-directory constraint or canonical path validation before write, so externally controlled input can affect the write destination (CWE-22/CWE-73).

Repo-based reproduction steps:

First, modify the apex local path in the poc line 55, repo_apex = Path("apex"). Then, run the poc.

python poc_01_apex_cache_dir_write.py

Expected result:

• Output contains [+] success: controlled write observed.
• permutations_4_4.npy is created under the printed attacker-controlled directory.

Security impact:

• In environment-variable-controllable scenarios (for example CI/job wrappers), an attacker can redirect cache writes to arbitrary writable locations, creating cache-poisoning or file-overwrite risk.

Remediation suggestions:

• Canonicalize and constrain APEX_ASP_CACHE_DIR to an allowed base directory.
• Validate the resolved path against an allowlisted base (for example resolved_path.is_relative_to(allowed_base) or equivalent logic).
• Fall back to a safe default directory when validation fails.

Attachments:

• poc_01_apex_cache_dir_write.py

Credit
BeforeGodKnows

poc_01_apex_cache_dir_write.py