File tree 2 files changed +4
-1
lines changed
2 files changed +4
-1
lines changed Original file line number Diff line number Diff line change @@ -260,6 +260,9 @@ exports.extract = function (cwd, opts) {
260260 var onsymlink = function ( ) {
261261 if ( win32 ) return next ( ) // skip symlinks on win for now before it can be tested
262262 xfs . unlink ( name , function ( ) {
263+ var dst = path . resolve ( path . dirname ( name ) , header . linkname )
264+ if ( ! dst . startsWith ( path . resolve ( cwd ) ) ) return next ( new Error ( name + ' is not a valid symlink' ) )
265+
263266 xfs . symlink ( header . linkname , name , stat )
264267 } )
265268 }
Original file line number Diff line number Diff line change @@ -304,7 +304,7 @@ test('do not extract invalid tar', function (t) {
304304 fs . createReadStream ( a )
305305 . pipe ( tar . extract ( out ) )
306306 . on ( 'error' , function ( err ) {
307- t . ok ( / i s n o t a v a l i d p a t h / i. test ( err . message ) )
307+ t . ok ( / i s n o t a v a l i d s y m l i n k / i. test ( err . message ) )
308308 fs . stat ( path . join ( out , '../bar' ) , function ( err ) {
309309 t . ok ( err )
310310 t . end ( )
You can’t perform that action at this time.
0 commit comments