symbolic link gets corrupted about node-tar HOT 7 CLOSED

I ran into this too. It seems to be a bug introduced in 2.0.0. So a workaround is to downgrade to 1.0.3 for the time being.

from node-tar.

This behavior is the consequence of a fix for a security issue that had been lurking in npm for a long time. Unfortunately, allowing symlinks inside tarballs to point outside the extraction destination allows tarballs to overwrite files to which the tarball should have no access under certain circumstances, and so node-tar normalizes them.

It's possible we could add a flag to node-tar along the lines of unsafeSymlinks to get back the old behavior, but it would have to be done in such a way that it's disabled by default for users of the package, because of the underlying security problem.

from node-tar.

@othiym23 I think that's a good idea, but in this case, we are actually not linking to something outside of the tarball, and it's being resolved to the wrong absolute thing anyway.

The symlink is something like:

foo/bin/npm -> ../lib/some/path

So, even if we resolve it, it should resolve to /extract/path/foo/lib/some/path, but instead, it's going to /extract/path/lib/some/path, which is incorrect.

It looks like we're doing path.join(extractPath, path.join('/', linkPath)), and we ought to be doing something like path.join(extractPath, path.join('/', path.join(entryPath, linkPath))) or something. Ie, first resolve the linkPath against the entryPath, and then make it absolute.

Also, we don't have to make it absolute if it doesn't end up linking outside of the extractPath.

from node-tar.

OK, I understand now. This is definitely on us to fix. Sorry for the false alarm.

from node-tar.

@jfromaniello Can you verify that this is fixed in 2.0.1?

from node-tar.

@isaacs It works perfectly now!

Thank you both,

from node-tar.

Can also confirm this fixes this issue. Thanks Forrest && Isaac! :)

from node-tar.