Comparing version 6.2.0 to 6.2.1
@@ -51,2 +51,3 @@ 'use strict' | ||
| const isWindows = platform === 'win32' | ||
| const DEFAULT_MAX_DEPTH = 1024 | ||
@@ -185,2 +186,8 @@ // Unlinks on Windows are not atomic. | ||
| // prevent excessively deep nesting of subfolders | ||
| // set to `Infinity` to remove this restriction | ||
| this.maxDepth = typeof opt.maxDepth === 'number' | ||
| ? opt.maxDepth | ||
| : DEFAULT_MAX_DEPTH | ||
| // mostly just for testing, but useful in some cases. | ||
@@ -243,9 +250,9 @@ // Forcibly trigger a chown on every entry, no matter what | ||
| [CHECKPATH] (entry) { | ||
| const p = normPath(entry.path) | ||
| const parts = p.split('/') | ||
| if (this.strip) { | ||
| const parts = normPath(entry.path).split('/') | ||
| if (parts.length < this.strip) { | ||
| return false | ||
| } | ||
| entry.path = parts.slice(this.strip).join('/') | ||
| if (entry.type === 'Link') { | ||
@@ -259,7 +266,17 @@ const linkparts = normPath(entry.linkpath).split('/') | ||
| } | ||
| parts.splice(0, this.strip) | ||
| entry.path = parts.join('/') | ||
| } | ||
| if (isFinite(this.maxDepth) && parts.length > this.maxDepth) { | ||
| this.warn('TAR_ENTRY_ERROR', 'path excessively deep', { | ||
| entry, | ||
| path: p, | ||
| depth: parts.length, | ||
| maxDepth: this.maxDepth, | ||
| }) | ||
| return false | ||
| } | ||
| if (!this.preservePaths) { | ||
| const p = normPath(entry.path) | ||
| const parts = p.split('/') | ||
| if (parts.includes('..') || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) { | ||
@@ -266,0 +283,0 @@ this.warn('TAR_ENTRY_ERROR', `path contains '..'`, { |
@@ -5,3 +5,3 @@ { | ||
| "description": "tar for node", | ||
| "version": "6.2.0", | ||
| "version": "6.2.1", | ||
| "repository": { | ||
@@ -8,0 +8,0 @@ "type": "git", |
@@ -118,2 +118,4 @@ # node-tar | ||
| - an unrecoverable fs error happens during unpacking, | ||
| - an entry is trying to extract into an excessively deep | ||
| location (by default, limited to 1024 subfolders), | ||
| - an entry has `..` in the path and `preservePaths` is not set, or | ||
@@ -431,2 +433,6 @@ - an entry is extracting through a symbolic link, when `preservePaths` is | ||
| normally. | ||
| - `maxDepth` The maximum depth of subfolders to extract into. This | ||
| defaults to 1024. Anything deeper than the limit will raise a | ||
| warning and skip the entry. Set to `Infinity` to remove the | ||
| limitation. | ||
@@ -754,2 +760,6 @@ The following options are mostly internal, but can be modified in some | ||
| normally. | ||
| - `maxDepth` The maximum depth of subfolders to extract into. This | ||
| defaults to 1024. Anything deeper than the limit will raise a | ||
| warning and skip the entry. Set to `Infinity` to remove the | ||
| limitation. | ||
@@ -756,0 +766,0 @@ ### class tar.Unpack.Sync |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by0.59%
166613
- Lines of code
- increased by0.39%
3837
- Number of lines in readme file
- increased by0.93%
1081
No dependency changes