tar@2.0.1

Normalize symlinks less aggressively -- only convert to absolute paths
if they would actually point outside the extraction root, not all
symlinks with relative paths.

4 files changed, 99 insertions, 44 deletions

diff --git a/node_modules/tar/lib/extract.js b/node_modules/tar/lib/extract.js
index ca82a65ce..5a4cb98c3 100644
--- a/node_modules/tar/lib/extract.js
+++ b/node_modules/tar/lib/extract.js
@@ -17,7 +17,6 @@ function Extract (opts) {
 
   // better to drop in cwd? seems more standard.
   opts.path = opts.path || path.resolve("node-tar-extract")
-  // have to dump into a directory
   opts.type = "Directory"
   opts.Directory = true
 
@@ -44,19 +43,19 @@ function Extract (opts) {
         entry.linkpath = entry.props.linkpath = lp
       }
     }
-
     if (entry.type === "Link") {
-      entry.linkpath = entry.props.linkpath = path.join(
-        opts.path, path.join("/", entry.props.linkpath)
-      )
+      entry.linkpath = entry.props.linkpath =
+        path.join(opts.path, path.join("/", entry.props.linkpath))
     }
 
-    if (entry.props && entry.props.linkpath) {
+    if (entry.type === "SymbolicLink") {
+      var dn = path.dirname(entry.path) || ""
       var linkpath = entry.props.linkpath
-      // normalize paths that point outside the extraction root
-      if (path.resolve(opts.path, linkpath).indexOf(opts.path) !== 0) {
-        entry.props.linkpath = path.join(opts.path, path.join("/", linkpath))
+      var target = path.resolve(opts.path, dn, linkpath)
+      if (target.indexOf(opts.path) !== 0) {
+        linkpath = path.join(opts.path, path.join("/", linkpath))
       }
+      entry.linkpath = entry.props.linkpath = linkpath
     }
   })
 
diff --git a/node_modules/tar/package.json b/node_modules/tar/package.json
index 2387a15fb..ec4d2d379 100644
--- a/node_modules/tar/package.json
+++ b/node_modules/tar/package.json
@@ -6,7 +6,7 @@
   },
   "name": "tar",
   "description": "tar for node",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "repository": {
     "type": "git",
     "url": "git://github.com/isaacs/node-tar.git"
@@ -27,14 +27,34 @@
     "mkdirp": "^0.5.0"
   },
   "license": "BSD",
-  "readme": "# node-tar\n\nTar for Node.js.\n\n[![NPM](https://nodei.co/npm/tar.png)](https://nodei.co/npm/tar/)\n\n## API\n\nSee `examples/` for usage examples.\n\n### var tar = require('tar')\n\nReturns an object with `.Pack`, `.Extract` and `.Parse` methods.\n\n### tar.Pack([properties])\n\nReturns a through stream. Use\n[fstream](https://npmjs.org/package/fstream) to write files into the\npack stream and you will receive tar archive data from the pack\nstream.\n\nThis only works with directories, it does not work with individual files.\n\nThe optional `properties` object are used to set properties in the tar\n'Global Extended Header'.\n\n### tar.Extract([options])\n\nReturns a through stream. Write tar data to the stream and the files\nin the tarball will be extracted onto the filesystem.\n\n`options` can be:\n\n```js\n{\n  path: '/path/to/extract/tar/into',\n  strip: 0, // how many path segments to strip from the root when extracting\n}\n```\n\n`options` also get passed to the `fstream.Writer` instance that `tar`\nuses internally.\n\n### tar.Parse()\n\nReturns a writable stream. Write tar data to it and it will emit\n`entry` events for each entry parsed from the tarball. This is used by\n`tar.Extract`.\n",
-  "readmeFilename": "README.md",
-  "gitHead": "9bde260b9ebe6808837a85bedf9c6f7bb04e004f",
+  "gitHead": "ce405d0b96f0fe186dd4cc68d666fabb0c59818d",
   "bugs": {
     "url": "https://github.com/isaacs/node-tar/issues"
   },
   "homepage": "https://github.com/isaacs/node-tar",
-  "_id": "tar@2.0.0",
-  "_shasum": "7cf627bc632167766ce2a5a1f23e4ecb8e3f28bc",
-  "_from": "tar@>=2.0.0 <2.1.0"
+  "_id": "tar@2.0.1",
+  "_shasum": "a1537ab0d1ce61462ce87b4eed1cd263fba5fc17",
+  "_from": "tar@>=2.0.1 <2.1.0",
+  "_npmVersion": "2.7.6",
+  "_nodeVersion": "1.4.2",
+  "_npmUser": {
+    "name": "isaacs",
+    "email": "i@izs.me"
+  },
+  "maintainers": [
+    {
+      "name": "isaacs",
+      "email": "i@izs.me"
+    },
+    {
+      "name": "othiym23",
+      "email": "ogd@aoaioxxysz.net"
+    }
+  ],
+  "dist": {
+    "shasum": "a1537ab0d1ce61462ce87b4eed1cd263fba5fc17",
+    "tarball": "http://registry.npmjs.org/tar/-/tar-2.0.1.tgz"
+  },
+  "directories": {},
+  "_resolved": "https://registry.npmjs.org/tar/-/tar-2.0.1.tgz"
 }
diff --git a/node_modules/tar/test/dir-normalization.js b/node_modules/tar/test/dir-normalization.js
index cdaa55353..9719c42f3 100644
--- a/node_modules/tar/test/dir-normalization.js
+++ b/node_modules/tar/test/dir-normalization.js
@@ -16,22 +16,37 @@ var expectEntries = [
   { path: 'fixtures/',
     mode: '755',
     type: '5',
-    depth: undefined,
-    size: 0,
-    linkpath: '',
-    nlink: undefined,
-    dev: undefined,
-    ino: undefined
+    linkpath: ''
+  },
+  { path: 'fixtures/a/',
+    mode: '755',
+    type: '5',
+    linkpath: ''
   },
   { path: 'fixtures/the-chumbler',
     mode: '755',
     type: '2',
-    depth: undefined,
-    size: 0,
     linkpath: path.resolve(target, 'a/b/c/d/the-chumbler'),
-    nlink: undefined,
-    dev: undefined,
-    ino: undefined
+  },
+  { path: 'fixtures/a/b/',
+    mode: '755',
+    type: '5',
+    linkpath: ''
+  },
+  { path: 'fixtures/a/x',
+    mode: '644',
+    type: '0',
+    linkpath: ''
+  },
+  { path: 'fixtures/a/b/c/',
+    mode: '755',
+    type: '5',
+    linkpath: ''
+  },
+  { path: 'fixtures/a/b/c/y',
+    mode: '755',
+    type: '2',
+    linkpath: '../../x',
   }
 ]
 
@@ -49,13 +64,41 @@ var expectFiles = [
     depth: 1,
     linkpath: undefined
   },
+  { path: '/fixtures/a',
+    mode: '40755',
+    type: 'Directory',
+    depth: 2,
+    linkpath: undefined
+  },
+  { path: '/fixtures/a/b',
+    mode: '40755',
+    type: 'Directory',
+    depth: 3,
+    linkpath: undefined
+  },
+  { path: '/fixtures/a/b/c',
+    mode: '40755',
+    type: 'Directory',
+    depth: 4,
+    linkpath: undefined
+  },
+  { path: '/fixtures/a/b/c/y',
+    mode: '120755',
+    type: 'SymbolicLink',
+    depth: 5,
+    linkpath: '../../x'
+  },
+  { path: '/fixtures/a/x',
+    mode: '100644',
+    type: 'File',
+    depth: 3,
+    linkpath: undefined
+  },
   { path: '/fixtures/the-chumbler',
     mode: '120755',
     type: 'SymbolicLink',
     depth: 2,
-    size: 95,
-    linkpath: path.resolve(target, 'a/b/c/d/the-chumbler'),
-    nlink: 1
+    linkpath: path.resolve(target, 'a/b/c/d/the-chumbler')
   }
 ]
 
@@ -84,21 +127,16 @@ test('extract test', function (t) {
   })
 
   extract.on('entry', function (entry) {
+    var mode = entry.props.mode & (~parseInt('22', 8))
     var found = {
       path: entry.path,
-      mode: entry.props.mode.toString(8),
+      mode: mode.toString(8),
       type: entry.props.type,
-      depth: entry.props.depth,
-      size: entry.props.size,
       linkpath: entry.props.linkpath,
-      nlink: entry.props.nlink,
-      dev: entry.props.dev,
-      ino: entry.props.ino
     }
 
     var wanted = expectEntries[ee++]
-
-    t.equivalent(found, wanted, 'tar entry ' + ee + ' ' + wanted.path)
+    t.equivalent(found, wanted, 'tar entry ' + ee + ' ' + (wanted && wanted.path))
   })
 
   function next () {
@@ -116,19 +154,17 @@ test('extract test', function (t) {
 
     function foundEntry (entry) {
       var p = entry.path.substr(target.length)
+      var mode = entry.props.mode & (~parseInt('22', 8))
       var found = {
         path: p,
-        mode: entry.props.mode.toString(8),
+        mode: mode.toString(8),
         type: entry.props.type,
         depth: entry.props.depth,
-        size: entry.props.size,
-        linkpath: entry.props.linkpath,
-        nlink: entry.props.nlink
+        linkpath: entry.props.linkpath
       }
 
       var wanted = expectFiles[ef++]
-
-      t.has(found, wanted, 'unpacked file ' + ef + ' ' + wanted.path)
+      t.equivalent(found, wanted, 'unpacked file ' + ef + ' ' + (wanted && wanted.path))
 
       entry.on('entry', foundEntry)
     }
diff --git a/node_modules/tar/test/dir-normalization.tar b/node_modules/tar/test/dir-normalization.tar
index d11d4eb8d..3c4845356 100644
--- a/node_modules/tar/test/dir-normalization.tar
+++ b/node_modules/tar/test/dir-normalization.tar