tar - npm Package Compare versions
+32
-11
@@ -256,18 +256,39 @@ "use strict"; | ||
| [STRIPABSOLUTEPATH](entry, field) { | ||
| const path = entry[field]; | ||
| if (!path || this.preservePaths) | ||
| const p = entry[field]; | ||
| if (!p || this.preservePaths) | ||
| return true; | ||
| const parts = path.split('/'); | ||
| const parts = p.split('/'); | ||
| if (parts.includes('..') || | ||
| /* c8 ignore next */ | ||
| (isWindows && /^[a-z]:\.\.$/i.test(parts[0] ?? ''))) { | ||
| this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { | ||
| entry, | ||
| [field]: path, | ||
| }); | ||
| // not ok! | ||
| return false; | ||
| // For linkpath, check if the resolved path escapes cwd rather than | ||
| // just rejecting any path with '..' - relative symlinks like | ||
| // '../sibling/file' are valid if they resolve within the cwd. | ||
| // For paths, they just simply may not ever use .. at all. | ||
| if (field === 'path') { | ||
| this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { | ||
| entry, | ||
| [field]: p, | ||
| }); | ||
| // not ok! | ||
| return false; | ||
| } | ||
| else { | ||
| // Resolve linkpath relative to the entry's directory. | ||
| // `path.posix` is safe to use because we're operating on | ||
| // tar paths, not a filesystem. | ||
| const entryDir = node_path_1.default.posix.dirname(entry.path); | ||
| const resolved = node_path_1.default.posix.normalize(node_path_1.default.posix.join(entryDir, p)); | ||
| // If the resolved path escapes (starts with ..), reject it | ||
| if (resolved.startsWith('../') || resolved === '..') { | ||
| this.warn('TAR_ENTRY_ERROR', `${field} escapes extraction directory`, { | ||
| entry, | ||
| [field]: p, | ||
| }); | ||
| return false; | ||
| } | ||
| } | ||
| } | ||
| // strip off the root | ||
| const [root, stripped] = (0, strip_absolute_path_js_1.stripAbsolutePath)(path); | ||
| const [root, stripped] = (0, strip_absolute_path_js_1.stripAbsolutePath)(p); | ||
| if (root) { | ||
@@ -278,3 +299,3 @@ // ok, but triggers warning about stripping root | ||
| entry, | ||
| [field]: path, | ||
| [field]: p, | ||
| }); | ||
@@ -281,0 +302,0 @@ } |
+32
-11
@@ -217,18 +217,39 @@ // the PEND/UNPEND stuff tracks whether we're ready to emit end/close yet. | ||
| [STRIPABSOLUTEPATH](entry, field) { | ||
| const path = entry[field]; | ||
| if (!path || this.preservePaths) | ||
| const p = entry[field]; | ||
| if (!p || this.preservePaths) | ||
| return true; | ||
| const parts = path.split('/'); | ||
| const parts = p.split('/'); | ||
| if (parts.includes('..') || | ||
| /* c8 ignore next */ | ||
| (isWindows && /^[a-z]:\.\.$/i.test(parts[0] ?? ''))) { | ||
| this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { | ||
| entry, | ||
| [field]: path, | ||
| }); | ||
| // not ok! | ||
| return false; | ||
| // For linkpath, check if the resolved path escapes cwd rather than | ||
| // just rejecting any path with '..' - relative symlinks like | ||
| // '../sibling/file' are valid if they resolve within the cwd. | ||
| // For paths, they just simply may not ever use .. at all. | ||
| if (field === 'path') { | ||
| this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { | ||
| entry, | ||
| [field]: p, | ||
| }); | ||
| // not ok! | ||
| return false; | ||
| } | ||
| else { | ||
| // Resolve linkpath relative to the entry's directory. | ||
| // `path.posix` is safe to use because we're operating on | ||
| // tar paths, not a filesystem. | ||
| const entryDir = path.posix.dirname(entry.path); | ||
| const resolved = path.posix.normalize(path.posix.join(entryDir, p)); | ||
| // If the resolved path escapes (starts with ..), reject it | ||
| if (resolved.startsWith('../') || resolved === '..') { | ||
| this.warn('TAR_ENTRY_ERROR', `${field} escapes extraction directory`, { | ||
| entry, | ||
| [field]: p, | ||
| }); | ||
| return false; | ||
| } | ||
| } | ||
| } | ||
| // strip off the root | ||
| const [root, stripped] = stripAbsolutePath(path); | ||
| const [root, stripped] = stripAbsolutePath(p); | ||
| if (root) { | ||
@@ -239,3 +260,3 @@ // ok, but triggers warning about stripping root | ||
| entry, | ||
| [field]: path, | ||
| [field]: p, | ||
| }); | ||
@@ -242,0 +263,0 @@ } |
+1
-1
@@ -5,3 +5,3 @@ { | ||
| "description": "tar for node", | ||
| "version": "7.5.4", | ||
| "version": "7.5.5", | ||
| "repository": { | ||
@@ -8,0 +8,0 @@ "type": "git", |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 4 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 4 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
1253183
0.44%- Lines of code
11890
0.35%