Skip to content

Commit

Permalink
fix: ensure symlinks do not write unexpectedly (#322)
Browse files Browse the repository at this point in the history
* fix: ensure symlinks do not write unexpectedly

* update spec name:
  • Loading branch information
MarshallOfSound authored Sep 10, 2024
1 parent 88b5ea4 commit 4f7abe9
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/asar.ts
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,9 @@ export function extractAll(archivePath: string, dest: string) {
const filename = fullPath.substr(1);
const destFilename = path.join(dest, filename);
const file = filesystem.getFile(filename, followLinks);
if (path.relative(dest, destFilename).startsWith('..')) {
throw new Error(`${fullPath}: file "${destFilename}" writes out of the package`);
}
if ('files' in file) {
// it's a directory, create it and continue with the next entry
fs.mkdirpSync(destFilename);
Expand All @@ -234,6 +237,11 @@ export function extractAll(archivePath: string, dest: string) {
fs.unlinkSync(destFilename);
} catch {}
const linkTo = path.join(relativePath, path.basename(file.link));
if (path.relative(dest, linkSrcPath).startsWith('..')) {
throw new Error(
`${fullPath}: file "${file.link}" links out of the package to "${linkSrcPath}"`,
);
}
fs.symlinkSync(linkTo, destFilename);
} else {
// it's a file, try to extract it
Expand Down
5 changes: 5 additions & 0 deletions test/api-spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@ describe('api', function () {
'test/input/packthis-with-symlink/real.txt',
);
});
it('should not extract an archive with a bad symlink', async () => {
assert.throws(() => {
asar.extractAll('test/input/bad-symlink.asar', 'tmp/bad-symlink/');
});
});
it('should handle multibyte characters in paths', async () => {
await asar.createPackageWithOptions(
'test/input/packthis-unicode-path/',
Expand Down
Binary file added test/input/bad-symlink.asar
Binary file not shown.

0 comments on commit 4f7abe9

Please sign in to comment.