File tree 2 files changed +3
-1
lines changed
2 files changed +3
-1
lines changed Original file line number Diff line number Diff line change @@ -254,6 +254,8 @@ exports.extract = function (cwd, opts) {
254254 var onsymlink = function ( ) {
255255 if ( win32 ) return next ( ) // skip symlinks on win for now before it can be tested
256256 xfs . unlink ( name , function ( ) {
257+ var dst = path . resolve ( path . dirname ( name ) , header . linkname )
258+ if ( ! dst . startsWith ( path . resolve ( cwd ) ) ) return next ( new Error ( name + ' is not a valid symlink' ) )
257259 xfs . symlink ( header . linkname , name , stat )
258260 } )
259261 }
Original file line number Diff line number Diff line change @@ -304,7 +304,7 @@ test('do not extract invalid tar', function (t) {
304304 fs . createReadStream ( a )
305305 . pipe ( tar . extract ( out ) )
306306 . on ( 'error' , function ( err ) {
307- t . ok ( / i s n o t a v a l i d p a t h / i. test ( err . message ) )
307+ t . ok ( / i s n o t a v a l i d s y m l i n k / i. test ( err . message ) )
308308 fs . stat ( path . join ( out , '../bar' ) , function ( err ) {
309309 t . ok ( err )
310310 t . end ( )
You can’t perform that action at this time.
0 commit comments