fix: checking if symlink with same prefix points outside the directory (#335)

fix: checking if symlink points outside the directory. (https://github.com/electron/asar/issues/303)
2024-11-06 10:15:18 -08:00 · 2024-11-06 10:15:18 -08:00 · 9ec1830ec2
--- a/src/crawlfs.ts
+++ b/src/crawlfs.ts
@ -3,6 +3,7 @@ import { glob as _glob } from 'glob';

 import fs from './wrapped-fs';
 import { Stats } from 'fs';
+import * as path from 'path';
 import { IOptions } from './types/glob';

 const glob = promisify(_glob);
@ -48,8 +49,13 @@ export async function crawl(dir: string, options: IOptions) {
      // those appearing in archives we need to manually exclude theme here
      const exactLinkIndex = links.findIndex((link) => filename === link);
      return links.every((link, index) => {
-        if (index === exactLinkIndex) return true;
-        return !filename.startsWith(link);
+        if (index === exactLinkIndex) {
+          return true;
+        }
+        const isFileWithinSymlinkDir = filename.startsWith(link);
+        // symlink may point outside the directory: https://github.com/electron/asar/issues/303
+        const relativePath = path.relative(link, path.dirname(filename));
+        return !isFileWithinSymlinkDir || relativePath.startsWith('..');
      });
    });
  return [filenames, metadata] as const;
--- a/test/api-spec.js
+++ b/test/api-spec.js
@ -119,6 +119,21 @@ describe('api', function () {
      'test/input/packthis-with-symlink/real.txt',
    );
  });
+  it('should extract an archive with symlink having the same prefix', async () => {
+    await asar.createPackageWithOptions(
+      'test/input/packthis-with-symlink-same-prefix/',
+      'tmp/packthis-with-symlink-same-prefix.asar',
+      { dot: false },
+    );
+    asar.extractAll(
+      'tmp/packthis-with-symlink-same-prefix.asar',
+      'tmp/packthis-with-symlink-same-prefix/',
+    );
+    return compFiles(
+      'tmp/packthis-with-symlink-same-prefix/real.txt',
+      'test/input/packthis-with-symlink-same-prefix/real.txt',
+    );
+  });
  it('should not extract an archive with a bad symlink', async () => {
    assert.throws(() => {
      asar.extractAll('test/input/bad-symlink.asar', 'tmp/bad-symlink/');
--- a/test/input/packthis-with-symlink-same-prefix/A
+++ b/test/input/packthis-with-symlink-same-prefix/A
@ -0,0 +1 @@
+AA
--- a/test/input/packthis-with-symlink-same-prefix/AA/real.txt
+++ b/test/input/packthis-with-symlink-same-prefix/AA/real.txt
@ -0,0 +1 @@
+I AM REAL TXT FILE
--- a/test/input/packthis-with-symlink-same-prefix/real.txt
+++ b/test/input/packthis-with-symlink-same-prefix/real.txt
@ -0,0 +1 @@
+AA/real.txt