fix: checking if symlink with same prefix points outside the directory (#335)

mmaietta · web-flow · commit 9ec1830ec285 · 2024-11-07T02:15:18.000+08:00
fix: checking if symlink points outside the directory. (#303)
diff --git a/src/crawlfs.ts b/src/crawlfs.ts
@@ -3,6 +3,7 @@ import { glob as _glob } from 'glob';
 
 import fs from './wrapped-fs';
 import { Stats } from 'fs';
+import * as path from 'path';
 import { IOptions } from './types/glob';
 
 const glob = promisify(_glob);
@@ -48,8 +49,13 @@ export async function crawl(dir: string, options: IOptions) {
       // those appearing in archives we need to manually exclude theme here
       const exactLinkIndex = links.findIndex((link) => filename === link);
       return links.every((link, index) => {
-        if (index === exactLinkIndex) return true;
-        return !filename.startsWith(link);
+        if (index === exactLinkIndex) {
+          return true;
+        }
+        const isFileWithinSymlinkDir = filename.startsWith(link);
+        // symlink may point outside the directory: https://github.com/electron/asar/issues/303
+        const relativePath = path.relative(link, path.dirname(filename));
+        return !isFileWithinSymlinkDir || relativePath.startsWith('..');
       });
     });
   return [filenames, metadata] as const;
diff --git a/test/api-spec.js b/test/api-spec.js
@@ -119,6 +119,21 @@ describe('api', function () {
       'test/input/packthis-with-symlink/real.txt',
     );
   });
+  it('should extract an archive with symlink having the same prefix', async () => {
+    await asar.createPackageWithOptions(
+      'test/input/packthis-with-symlink-same-prefix/',
+      'tmp/packthis-with-symlink-same-prefix.asar',
+      { dot: false },
+    );
+    asar.extractAll(
+      'tmp/packthis-with-symlink-same-prefix.asar',
+      'tmp/packthis-with-symlink-same-prefix/',
+    );
+    return compFiles(
+      'tmp/packthis-with-symlink-same-prefix/real.txt',
+      'test/input/packthis-with-symlink-same-prefix/real.txt',
+    );
+  });
   it('should not extract an archive with a bad symlink', async () => {
     assert.throws(() => {
       asar.extractAll('test/input/bad-symlink.asar', 'tmp/bad-symlink/');
diff --git a/test/input/packthis-with-symlink-same-prefix/A b/test/input/packthis-with-symlink-same-prefix/A
@@ -0,0 +1 @@
+AA
diff --git a/test/input/packthis-with-symlink-same-prefix/AA/real.txt b/test/input/packthis-with-symlink-same-prefix/AA/real.txt
@@ -0,0 +1 @@
+I AM REAL TXT FILE
diff --git a/test/input/packthis-with-symlink-same-prefix/real.txt b/test/input/packthis-with-symlink-same-prefix/real.txt
@@ -0,0 +1 @@
+AA/real.txt
