tar@2.0.0

Normalize symbolic links with targets that point outside the extraction
root.

4 files changed, 162 insertions, 12 deletions

diff --git a/node_modules/tar/lib/extract.js b/node_modules/tar/lib/extract.js
index 9fb1e6fb1..ca82a65ce 100644
--- a/node_modules/tar/lib/extract.js
+++ b/node_modules/tar/lib/extract.js
@@ -11,16 +11,13 @@ function Extract (opts) {
   if (!(this instanceof Extract)) return new Extract(opts)
   tar.Parse.apply(this)
 
-  // have to dump into a directory
-  opts.type = "Directory"
-  opts.Directory = true
-
   if (typeof opts !== "object") {
     opts = { path: opts }
   }
 
   // better to drop in cwd? seems more standard.
   opts.path = opts.path || path.resolve("node-tar-extract")
+  // have to dump into a directory
   opts.type = "Directory"
   opts.Directory = true
 
@@ -47,9 +44,20 @@ function Extract (opts) {
         entry.linkpath = entry.props.linkpath = lp
       }
     }
-    if (entry.type !== "Link") return
-    entry.linkpath = entry.props.linkpath =
-      path.join(opts.path, path.join("/", entry.props.linkpath))
+
+    if (entry.type === "Link") {
+      entry.linkpath = entry.props.linkpath = path.join(
+        opts.path, path.join("/", entry.props.linkpath)
+      )
+    }
+
+    if (entry.props && entry.props.linkpath) {
+      var linkpath = entry.props.linkpath
+      // normalize paths that point outside the extraction root
+      if (path.resolve(opts.path, linkpath).indexOf(opts.path) !== 0) {
+        entry.props.linkpath = path.join(opts.path, path.join("/", linkpath))
+      }
+    }
   })
 
   this._fst.on("ready", function () {
@@ -71,6 +79,7 @@ function Extract (opts) {
 
   this._fst.on("close", function () {
     // console.error("\nEEEE Extract End", me._fst.path)
+    me.emit("finish")
     me.emit("end")
     me.emit("close")
   })
diff --git a/node_modules/tar/package.json b/node_modules/tar/package.json
index b4a120992..2387a15fb 100644
--- a/node_modules/tar/package.json
+++ b/node_modules/tar/package.json
@@ -6,7 +6,7 @@
   },
   "name": "tar",
   "description": "tar for node",
-  "version": "1.0.3",
+  "version": "2.0.0",
   "repository": {
     "type": "git",
     "url": "git://github.com/isaacs/node-tar.git"
@@ -29,12 +29,12 @@
   "license": "BSD",
   "readme": "# node-tar\n\nTar for Node.js.\n\n[![NPM](https://nodei.co/npm/tar.png)](https://nodei.co/npm/tar/)\n\n## API\n\nSee `examples/` for usage examples.\n\n### var tar = require('tar')\n\nReturns an object with `.Pack`, `.Extract` and `.Parse` methods.\n\n### tar.Pack([properties])\n\nReturns a through stream. Use\n[fstream](https://npmjs.org/package/fstream) to write files into the\npack stream and you will receive tar archive data from the pack\nstream.\n\nThis only works with directories, it does not work with individual files.\n\nThe optional `properties` object are used to set properties in the tar\n'Global Extended Header'.\n\n### tar.Extract([options])\n\nReturns a through stream. Write tar data to the stream and the files\nin the tarball will be extracted onto the filesystem.\n\n`options` can be:\n\n```js\n{\n  path: '/path/to/extract/tar/into',\n  strip: 0, // how many path segments to strip from the root when extracting\n}\n```\n\n`options` also get passed to the `fstream.Writer` instance that `tar`\nuses internally.\n\n### tar.Parse()\n\nReturns a writable stream. Write tar data to it and it will emit\n`entry` events for each entry parsed from the tarball. This is used by\n`tar.Extract`.\n",
   "readmeFilename": "README.md",
-  "gitHead": "f4151128c585da236c6b1e278b762ecaedc20c15",
+  "gitHead": "9bde260b9ebe6808837a85bedf9c6f7bb04e004f",
   "bugs": {
     "url": "https://github.com/isaacs/node-tar/issues"
   },
   "homepage": "https://github.com/isaacs/node-tar",
-  "_id": "tar@1.0.3",
-  "_shasum": "15bcdab244fa4add44e4244a0176edb8aa9a2b44",
-  "_from": "tar@>=1.0.3 <1.1.0"
+  "_id": "tar@2.0.0",
+  "_shasum": "7cf627bc632167766ce2a5a1f23e4ecb8e3f28bc",
+  "_from": "tar@>=2.0.0 <2.1.0"
 }
diff --git a/node_modules/tar/test/dir-normalization.js b/node_modules/tar/test/dir-normalization.js
new file mode 100644
index 000000000..cdaa55353
--- /dev/null
+++ b/node_modules/tar/test/dir-normalization.js
@@ -0,0 +1,141 @@
+// Set the umask, so that it works the same everywhere.
+process.umask(parseInt('22', 8))
+
+var fs = require('fs')
+var path = require('path')
+
+var fstream = require('fstream')
+var test = require('tap').test
+
+var tar = require('../tar.js')
+var file = path.resolve(__dirname, 'dir-normalization.tar')
+var target = path.resolve(__dirname, 'tmp/dir-normalization-test')
+var ee = 0
+
+var expectEntries = [
+  { path: 'fixtures/',
+    mode: '755',
+    type: '5',
+    depth: undefined,
+    size: 0,
+    linkpath: '',
+    nlink: undefined,
+    dev: undefined,
+    ino: undefined
+  },
+  { path: 'fixtures/the-chumbler',
+    mode: '755',
+    type: '2',
+    depth: undefined,
+    size: 0,
+    linkpath: path.resolve(target, 'a/b/c/d/the-chumbler'),
+    nlink: undefined,
+    dev: undefined,
+    ino: undefined
+  }
+]
+
+var ef = 0
+var expectFiles = [
+  { path: '',
+    mode: '40755',
+    type: 'Directory',
+    depth: 0,
+    linkpath: undefined
+  },
+  { path: '/fixtures',
+    mode: '40755',
+    type: 'Directory',
+    depth: 1,
+    linkpath: undefined
+  },
+  { path: '/fixtures/the-chumbler',
+    mode: '120755',
+    type: 'SymbolicLink',
+    depth: 2,
+    size: 95,
+    linkpath: path.resolve(target, 'a/b/c/d/the-chumbler'),
+    nlink: 1
+  }
+]
+
+test('preclean', function (t) {
+  require('rimraf').sync(path.join(__dirname, '/tmp/dir-normalization-test'))
+  t.pass('cleaned!')
+  t.end()
+})
+
+test('extract test', function (t) {
+  var extract = tar.Extract(target)
+  var inp = fs.createReadStream(file)
+
+  inp.pipe(extract)
+
+  extract.on('end', function () {
+    t.equal(ee, expectEntries.length, 'should see ' + expectEntries.length + ' entries')
+
+    // should get no more entries after end
+    extract.removeAllListeners('entry')
+    extract.on('entry', function (e) {
+      t.fail('Should not get entries after end!')
+    })
+
+    next()
+  })
+
+  extract.on('entry', function (entry) {
+    var found = {
+      path: entry.path,
+      mode: entry.props.mode.toString(8),
+      type: entry.props.type,
+      depth: entry.props.depth,
+      size: entry.props.size,
+      linkpath: entry.props.linkpath,
+      nlink: entry.props.nlink,
+      dev: entry.props.dev,
+      ino: entry.props.ino
+    }
+
+    var wanted = expectEntries[ee++]
+
+    t.equivalent(found, wanted, 'tar entry ' + ee + ' ' + wanted.path)
+  })
+
+  function next () {
+    var r = fstream.Reader({
+      path: target,
+      type: 'Directory',
+      sort: 'alpha'
+    })
+
+    r.on('ready', function () {
+      foundEntry(r)
+    })
+
+    r.on('end', finish)
+
+    function foundEntry (entry) {
+      var p = entry.path.substr(target.length)
+      var found = {
+        path: p,
+        mode: entry.props.mode.toString(8),
+        type: entry.props.type,
+        depth: entry.props.depth,
+        size: entry.props.size,
+        linkpath: entry.props.linkpath,
+        nlink: entry.props.nlink
+      }
+
+      var wanted = expectFiles[ef++]
+
+      t.has(found, wanted, 'unpacked file ' + ef + ' ' + wanted.path)
+
+      entry.on('entry', foundEntry)
+    }
+
+    function finish () {
+      t.equal(ef, expectFiles.length, 'should have ' + ef + ' items')
+      t.end()
+    }
+  }
+})
diff --git a/node_modules/tar/test/dir-normalization.tar b/node_modules/tar/test/dir-normalization.tar
new file mode 100644
index 000000000..d11d4eb8d
--- /dev/null
+++ b/node_modules/tar/test/dir-normalization.tar