Comments (7)
I ran into this too. It seems to be a bug introduced in 2.0.0. So a workaround is to downgrade to 1.0.3 for the time being.
from node-tar.
This behavior is the consequence of a fix for a security issue that had been lurking in npm for a long time. Unfortunately, allowing symlinks inside tarballs to point outside the extraction destination allows tarballs to overwrite files to which the tarball should have no access under certain circumstances, and so node-tar
normalizes them.
It's possible we could add a flag to node-tar
along the lines of unsafeSymlinks
to get back the old behavior, but it would have to be done in such a way that it's disabled by default for users of the package, because of the underlying security problem.
from node-tar.
@othiym23 I think that's a good idea, but in this case, we are actually not linking to something outside of the tarball, and it's being resolved to the wrong absolute thing anyway.
The symlink is something like:
foo/bin/npm -> ../lib/some/path
So, even if we resolve it, it should resolve to /extract/path/foo/lib/some/path
, but instead, it's going to /extract/path/lib/some/path
, which is incorrect.
It looks like we're doing path.join(extractPath, path.join('/', linkPath))
, and we ought to be doing something like path.join(extractPath, path.join('/', path.join(entryPath, linkPath)))
or something. Ie, first resolve the linkPath against the entryPath, and then make it absolute.
Also, we don't have to make it absolute if it doesn't end up linking outside of the extractPath.
from node-tar.
OK, I understand now. This is definitely on us to fix. Sorry for the false alarm.
from node-tar.
@jfromaniello Can you verify that this is fixed in 2.0.1?
from node-tar.
@isaacs It works perfectly now!
Thank you both,
from node-tar.
Can also confirm this fixes this issue. Thanks Forrest && Isaac! :)
from node-tar.
Related Issues (20)
- Does not support XZ compressed data HOT 5
- tar has problems in a CIFS mount path with node 20 and node 18.18.0 HOT 10
- Document reproducibility of resulting archives HOT 1
- Error crashing my service HOT 4
- Error when using in typescript HOT 1
- [BUG] Crash when extracting file with hardlink to itself HOT 1
- Does not throw an error if the user does not have write permission to directory `cwd` HOT 2
- Enhancement: migrate yallist to js-sdsl HOT 1
- ASAR problem in Electron HOT 5
- After using node-tar to read a specific file in the tar package, the file cannot be deleted by fs.unlinkSync immediately. HOT 1
- tar seems to corrupt mac app bundle signature integrity HOT 4
- [Bug] path-reservations accessing index of undefined array HOT 1
- CHANGELOG.md missing entries HOT 13
- [7.0.0][type regression] Unpack is not assignable to NodeJS.WritableStream HOT 11
- v7 breaks sinon stubbing HOT 4
- unpack strip error HOT 3
- [7.0.1][Type Regression] Property 'write' in type 'Pack' is not assignable to the same property in base type 'Minipass<Buffer, ContiguousData>'. HOT 3
- Documentation: including multiple unrelated directories without leading directory elements in a single archive HOT 1
- Typescript issues for `Pack` and base type `Minipass<ContiguousData, Buffer, WarnEvent>` when using node v18 types HOT 6
- Node help
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-tar.