npm - compressing - Versions diffs - 1.10.4 → 1.10.5 - Mend

compressing 1.10.4 → 1.10.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/utils.js +144 -62
package/package.json +1 -1

package/lib/utils.js CHANGED Viewed

@@ -21,6 +21,63 @@ function isPathWithinParent(childPath, parentPath) {
          normalizedChild.startsWith(parentWithSep);
 }
+/**
+ * Check if the real filesystem path stays within parentDir,
+ * accounting for pre-existing symlinks on disk.
+ * Walks each path segment from parentDir to targetPath using lstat.
+ * If any segment is a symlink, resolves it and verifies it stays within parentDir.
+ * @param {string} targetPath - Absolute path to validate
+ * @param {string} parentDir - Absolute path of the extraction root
+ * @param {string} realParentDir - Pre-resolved real path of parentDir (handles OS-level symlinks like /var -> /private/var on macOS)
+ * @param {function} callback - callback(err, safe)
+ */
+function isRealPathSafe(targetPath, parentDir, realParentDir, callback) {
+  function isWithinParent(p) {
+    return isPathWithinParent(p, parentDir) || isPathWithinParent(p, realParentDir);
+  }
+  var relative = path.relative(parentDir, targetPath);
+  var segments = relative.split(path.sep);
+  var i = 0;
+  var current = parentDir;
+  function checkNext() {
+    if (i >= segments.length) return callback(null, true);
+    var segment = segments[i++];
+    if (!segment || segment === '.') return checkNext();
+    current = path.join(current, segment);
+    fs.lstat(current, function(err, stat) {
+      if (err) {
+        if (err.code === 'ENOENT') return callback(null, true); // doesn't exist yet, safe
+        // Fail closed: unexpected filesystem errors are unsafe
+        return callback(null, false);
+      }
+      if (!stat.isSymbolicLink()) return checkNext();
+      fs.realpath(current, function(err, resolved) {
+        if (err) {
+          if (err.code === 'ENOENT') {
+            // Dangling symlink - check textual target
+            return fs.readlink(current, function(err, linkTarget) {
+              if (err) return callback(null, false);
+              var absTarget = path.resolve(path.dirname(current), linkTarget);
+              callback(null, isWithinParent(absTarget));
+            });
+          }
+          // Fail closed: unexpected errors during symlink resolution are unsafe
+          return callback(null, false);
+        }
+        if (!isWithinParent(resolved)) return callback(null, false);
+        current = resolved;
+        checkNext();
+      });
+    });
+  }
+  checkNext();
+}
 // file/fileBuffer/stream
 exports.sourceType = source => {
   if (!source) return undefined;
@@ -112,74 +169,99 @@ exports.makeUncompressFn = StreamClass => {
         // Resolve destDir to absolute path for security validation
         const resolvedDestDir = path.resolve(destDir);
-        let entryCount = 0;
-        let successCount = 0;
-        let isFinish = false;
-        function done() {
-          // resolve when both stream finish and file write finish
-          if (isFinish && entryCount === successCount) resolve();
-        }
-        new StreamClass(opts)
-          .on('finish', () => {
-            isFinish = true;
-            done();
-          })
-          .on('error', reject)
-          .on('entry', (header, stream, next) => {
-            stream.on('end', next);
-            const destFilePath = path.join(resolvedDestDir, header.name);
-            const resolvedDestPath = path.resolve(destFilePath);
-            // Security: Validate that the entry path doesn't escape the destination directory
-            if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
-              console.warn(`[compressing] Skipping entry with path traversal: "${header.name}" -> "${resolvedDestPath}"`);
-              stream.resume();
-              return;
-            }
-            if (header.type === 'file') {
-              const dir = path.dirname(destFilePath);
-              mkdirp(dir, err => {
-                if (err) return reject(err);
-                entryCount++;
-                pump(stream, fs.createWriteStream(destFilePath, { mode: opts.mode || header.mode }), err => {
-                  if (err) return reject(err);
-                  successCount++;
-                  done();
-                });
-              });
-            } else if (header.type === 'symlink') {
-              const dir = path.dirname(destFilePath);
-              const target = path.resolve(dir, header.linkname);
-              // Security: Validate that the symlink target doesn't escape the destination directory
-              if (!isPathWithinParent(target, resolvedDestDir)) {
-                console.warn(`[compressing] Skipping symlink "${header.name}": target "${target}" escapes extraction directory`);
+        // Resolve once for the entire extraction to handle OS-level symlinks
+        // (e.g. /var -> /private/var on macOS)
+        let realDestDir = resolvedDestDir;
+        fs.realpath(resolvedDestDir, (err, resolved) => {
+          if (!err) realDestDir = resolved;
+          let entryCount = 0;
+          let successCount = 0;
+          let isFinish = false;
+          function done() {
+            // resolve when both stream finish and file write finish
+            if (isFinish && entryCount === successCount) resolve();
+          }
+          new StreamClass(opts)
+            .on('finish', () => {
+              isFinish = true;
+              done();
+            })
+            .on('error', reject)
+            .on('entry', (header, stream, next) => {
+              stream.on('end', next);
+              const destFilePath = path.join(resolvedDestDir, header.name);
+              const resolvedDestPath = path.resolve(destFilePath);
+              // Security: Validate that the entry path doesn't escape the destination directory
+              if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
+                console.warn('[compressing] Skipping entry with path traversal: "' + header.name + '" -> "' + resolvedDestPath + '"');
                 stream.resume();
                 return;
               }
-              entryCount++;
-              mkdirp(dir, err => {
-                if (err) return reject(err);
-                const relativeTarget = path.relative(dir, target);
-                fs.symlink(relativeTarget, destFilePath, err => {
-                  if (err) return reject(err);
-                  successCount++;
+              // Security: Validate no pre-existing symlink in the path escapes the extraction directory
+              isRealPathSafe(resolvedDestPath, resolvedDestDir, realDestDir, (err, safe) => {
+                if (err || !safe) {
+                  console.warn('[compressing] Skipping entry "' + header.name + '": a symlink in its path resolves outside the extraction directory');
                   stream.resume();
-                });
-              });
-            } else { // directory
-              mkdirp(destFilePath, err => {
-                if (err) return reject(err);
-                stream.resume();
+                  return;
+                }
+                if (header.type === 'file') {
+                  const dir = path.dirname(destFilePath);
+                  mkdirp(dir, err => {
+                    if (err) return reject(err);
+                    entryCount++;
+                    pump(stream, fs.createWriteStream(destFilePath, { mode: opts.mode || header.mode }), err => {
+                      if (err) return reject(err);
+                      successCount++;
+                      done();
+                    });
+                  });
+                } else if (header.type === 'symlink') {
+                  const dir = path.dirname(destFilePath);
+                  const target = path.resolve(dir, header.linkname);
+                  // Security: Validate that the symlink target doesn't escape the destination directory
+                  if (!isPathWithinParent(target, resolvedDestDir)) {
+                    console.warn('[compressing] Skipping symlink "' + header.name + '": target "' + target + '" escapes extraction directory');
+                    stream.resume();
+                    return;
+                  }
+                  // Security: Validate no pre-existing symlink in the target path escapes the extraction directory
+                  isRealPathSafe(target, resolvedDestDir, realDestDir, (err, targetSafe) => {
+                    if (err || !targetSafe) {
+                      console.warn('[compressing] Skipping symlink "' + header.name + '": target resolves outside extraction directory via existing symlink');
+                      stream.resume();
+                      return;
+                    }
+                    entryCount++;
+                    mkdirp(dir, err => {
+                      if (err) return reject(err);
+                      const relativeTarget = path.relative(dir, target);
+                      fs.symlink(relativeTarget, destFilePath, err => {
+                        if (err) return reject(err);
+                        successCount++;
+                        stream.resume();
+                      });
+                    });
+                  });
+                } else { // directory
+                  mkdirp(destFilePath, err => {
+                    if (err) return reject(err);
+                    stream.resume();
+                  });
+                }
               });
-            }
-          });
+            });
+        });
       });
     });
   };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "compressing",
-  "version": "1.10.4",
+  "version": "1.10.5",
   "description": "Everything you need for compressing and uncompressing",
   "main": "index.js",
   "scripts": {