Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
wraithgar committed Nov 21, 2024
1 parent a06faf5 commit 7b9edc4
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 11 deletions.
27 changes: 22 additions & 5 deletions node_modules/tar/lib/unpack.js
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ const crypto = require('crypto')
const getFlag = require('./get-write-flag.js')
const platform = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform
const isWindows = platform === 'win32'
const DEFAULT_MAX_DEPTH = 1024

// Unlinks on Windows are not atomic.
//
Expand Down Expand Up @@ -181,6 +182,12 @@ class Unpack extends Parser {
this.processGid = (this.preserveOwner || this.setOwner) && process.getgid ?
process.getgid() : null

// prevent excessively deep nesting of subfolders
// set to `Infinity` to remove this restriction
this.maxDepth = typeof opt.maxDepth === 'number'
? opt.maxDepth
: DEFAULT_MAX_DEPTH

// mostly just for testing, but useful in some cases.
// Forcibly trigger a chown on every entry, no matter what
this.forceChown = opt.forceChown === true
Expand Down Expand Up @@ -238,13 +245,13 @@ class Unpack extends Parser {
}

[CHECKPATH] (entry) {
const p = normPath(entry.path)
const parts = p.split('/')

if (this.strip) {
const parts = normPath(entry.path).split('/')
if (parts.length < this.strip) {
return false
}
entry.path = parts.slice(this.strip).join('/')

if (entry.type === 'Link') {
const linkparts = normPath(entry.linkpath).split('/')
if (linkparts.length >= this.strip) {
Expand All @@ -253,11 +260,21 @@ class Unpack extends Parser {
return false
}
}
parts.splice(0, this.strip)
entry.path = parts.join('/')
}

if (isFinite(this.maxDepth) && parts.length > this.maxDepth) {
this.warn('TAR_ENTRY_ERROR', 'path excessively deep', {
entry,
path: p,
depth: parts.length,
maxDepth: this.maxDepth,
})
return false
}

if (!this.preservePaths) {
const p = normPath(entry.path)
const parts = p.split('/')
if (parts.includes('..') || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) {
this.warn('TAR_ENTRY_ERROR', `path contains '..'`, {
entry,
Expand Down
2 changes: 1 addition & 1 deletion node_modules/tar/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": "GitHub Inc.",
"name": "tar",
"description": "tar for node",
"version": "6.2.0",
"version": "6.2.1",
"repository": {
"type": "git",
"url": "https://github.com/isaacs/node-tar.git"
Expand Down
9 changes: 5 additions & 4 deletions package-lock.json
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@
"spdx-expression-parse": "^3.0.1",
"ssri": "^10.0.5",
"supports-color": "^9.4.0",
"tar": "^6.2.0",
"tar": "^6.2.1",
"text-table": "~0.2.0",
"tiny-relative-date": "^1.3.0",
"treeverse": "^3.0.0",
Expand Down Expand Up @@ -14650,10 +14650,11 @@
}
},
"node_modules/tar": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/tar/-/tar-6.2.0.tgz",
"integrity": "sha512-/Wo7DcT0u5HUV486xg675HtjNd3BXZ6xDbzsCUZPt5iw8bTQ63bP0Raut3mvro9u+CUyq7YQd8Cx55fsZXxqLQ==",
"version": "6.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
"integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
"inBundle": true,
"license": "ISC",
"dependencies": {
"chownr": "^2.0.0",
"fs-minipass": "^2.0.0",
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@
"spdx-expression-parse": "^3.0.1",
"ssri": "^10.0.5",
"supports-color": "^9.4.0",
"tar": "^6.2.0",
"tar": "^6.2.1",
"text-table": "~0.2.0",
"tiny-relative-date": "^1.3.0",
"treeverse": "^3.0.0",
Expand Down

0 comments on commit 7b9edc4

Please sign in to comment.