Skip to content

Commit

Permalink
fix: skip extract if linkpath is stripped entirely
Browse files Browse the repository at this point in the history
Fix tar.Unpack() to skip extraction of hardlinks and symlinks when a
'strip' option is provided, if the entry linkpath would be completely
stripped.

Previously, the linkpath would not be stripped if it had fewer path parts
than the strip option.

This matches the behavior of modern versions of bsdtar.  Gnutar has the
same extraction semantics, but emits a warning when the resulting
linkpath is completely stripped.
  • Loading branch information
isaacs committed Aug 11, 2021
1 parent 5c5059a commit 6aafff0
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 10 deletions.
2 changes: 2 additions & 0 deletions lib/unpack.js
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,8 @@ class Unpack extends Parser {
const linkparts = normPath(entry.linkpath).split('/')
if (linkparts.length >= this.strip)
entry.linkpath = linkparts.slice(this.strip).join('/')
else
return false
}
}

Expand Down
12 changes: 2 additions & 10 deletions test/unpack.js
Original file line number Diff line number Diff line change
Expand Up @@ -191,16 +191,8 @@ t.test('links!', t => {
t.end()
}
const checkForStrip3 = t => {
t.ok(fs.lstatSync(dir + '/3').isDirectory())
let err = null
try {
fs.lstatSync(dir + '/3/hardlink-3')
} catch(e) {
err = e
}
// can't be extracted because we've passed it in the tar
// (specially crafted tar for this not to work)
t.equal(err.code, 'ENOENT')
// strips the linkpath entirely, so the link doesn't get extracted.
t.throws(() => fs.lstatSync(dir + '/3'), { code: 'ENOENT' })
t.end()
}

Expand Down

0 comments on commit 6aafff0

Please sign in to comment.