Expanding yarn-v1.16.0/LICENSE would create file outside of c:\code\frontend-bug\target\node\yarn

[FrigoCoder]

Do you want to request a feature or report a bug?

Bug.

What is the current behavior?

The plugin believes that c:\code\frontend-bug\target\node\yarn-v1.16.0\LICENSE would fall outside of c:\code\frontend-bug\target and stops execution.

I believe the bug is found in com.github.eirslett.maven.plugins.frontend.lib.ArchiveExtractor. The format of destPath.getCanonicalPath() could be different from destinationDirectory due to platform differences.

final File destPath = new File(destinationDirectory + File.separator + tarEntry.getName());
prepDestination(destPath, tarEntry.isDirectory());
if (!destPath.getCanonicalPath().startsWith(destinationDirectory)) {
    throw new IOException(
            "Expanding " + tarEntry.getName() + " would create file outside of " + destinationDirectory
    );
}

If the current behavior is a bug, please provide the steps to reproduce.

The bug does not always occur. We have Windows 10 laptops with IBM corporate bloatware installed. Out of five people, three experienced this issue. Two were magically fixed by installing MinGW on their machines and putting it on PATH variable. One persists, so it could be a coincidence.

A simple c:\code\frontend-bug\pom.xml file that reproduces the issue on my machine:

<project xmlns="http://maven.apache.org/POM/4.0.0" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>frigo</groupId>
    <artifactId>frontend-bug</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>jar</packaging>

    <build>
        <plugins>
            <plugin>
                <groupId>com.github.eirslett</groupId>
                <artifactId>frontend-maven-plugin</artifactId>
                <version>1.7.6</version>
                <executions>
                    <execution>
                        <id>install node and yarn</id>
                        <goals>
                            <goal>install-node-and-yarn</goal>
                        </goals>
                        <phase>generate-resources</phase>
                    </execution>
                </executions>
                <configuration>
                    <nodeVersion>v12.2.0</nodeVersion>
                    <yarnVersion>v1.16.0</yarnVersion>
                    <installDirectory>target</installDirectory>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

What is the expected behavior?

The plugin extracts the contents of yarn-v.1.16.0.tar.gz into c:\code\frontend-bug\target\node\ and continues execution.

Please mention your frontend-maven-plugin and operating system version.

frontend-maven-plugin: 1.7.6
windows: Windows 10 Enterprise 1809 17763.437

Apache Maven 3.5.3 (3383c37e1f9e9b3bc3df5050c29c8aff9f295297; 2018-02-24T20:49:05+01:00)
Maven home: c:\Program Files\maven\bin..
Java version: 1.8.0_171, vendor: Oracle Corporation
Java home: c:\Program Files\Java\jdk1.8.0_171\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"

[FrigoCoder]

Okay I realized what is going on. The getCanonicalPath() path normalizes drive letters by making them uppercase, and this breaks the startsWith call. Proof:

C:\Users\Frigo>cmd /k cd c:\code\frontend-bug

c:\code\frontend-bug>mvn clean package
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< frigo:frontend-bug >-------------------------
[INFO] Building frontend-bug 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ frontend-bug ---
[INFO] Deleting c:\code\frontend-bug\target
[INFO]
[INFO] --- frontend-maven-plugin:1.7.6:install-node-and-yarn (install node and yarn) @ frontend-bug ---
[INFO] Installing node version v12.2.0
[INFO] Copying node binary from C:\Users\Frigo\.m2\repository\com\github\eirslett\node\12.2.0\node-12.2.0-win-x64.exe to c:\code\frontend-bug\target\node\node.exe
[INFO] Installed node locally.
[INFO] Installing Yarn version v1.16.0
[INFO] Unpacking C:\Users\Frigo\.m2\repository\com\github\eirslett\yarn\1.16.0\yarn-1.16.0.tar.gz into c:\code\frontend-bug\target\node\yarn
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.253 s
[INFO] Finished at: 2019-05-23T16:55:03+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.github.eirslett:frontend-maven-plugin:1.7.6:install-node-and-yarn (install node and yarn) on project frontend-bug: Could not extract the Yarn archive: Could not extract archive: 'C:\Users\Frigo\.m2\repository\com\github\eirslett\yarn\1.16.0\yarn-1.16.0.tar.gz': Expanding yarn-v1.16.0/LICENSE would create file outside of c:\code\frontend-bug\target\node\yarn -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

c:\code\frontend-bug>exit

C:\Users\Frigo>cmd /k cd C:\code\frontend-bug

C:\code\frontend-bug>mvn clean package
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< frigo:frontend-bug >-------------------------
[INFO] Building frontend-bug 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ frontend-bug ---
[INFO] Deleting C:\code\frontend-bug\target
[INFO]
[INFO] --- frontend-maven-plugin:1.7.6:install-node-and-yarn (install node and yarn) @ frontend-bug ---
[INFO] Installing node version v12.2.0
[INFO] Copying node binary from C:\Users\Frigo\.m2\repository\com\github\eirslett\node\12.2.0\node-12.2.0-win-x64.exe to C:\code\frontend-bug\target\node\node.exe
[INFO] Installed node locally.
[INFO] Installing Yarn version v1.16.0
[INFO] Unpacking C:\Users\Frigo\.m2\repository\com\github\eirslett\yarn\1.16.0\yarn-1.16.0.tar.gz into C:\code\frontend-bug\target\node\yarn
[INFO] Installed Yarn locally.
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ frontend-bug ---
[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory C:\code\frontend-bug\src\main\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ frontend-bug ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ frontend-bug ---
[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory C:\code\frontend-bug\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ frontend-bug ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ frontend-bug ---
[INFO] No tests to run.
[INFO]
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ frontend-bug ---
[WARNING] JAR will be empty - no content was marked for inclusion!
[INFO] Building jar: C:\code\frontend-bug\target\frontend-bug-1.0.0-SNAPSHOT.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5.164 s
[INFO] Finished at: 2019-05-23T16:55:25+02:00
[INFO] ------------------------------------------------------------------------

C:\code\frontend-bug>

[arminha]

I had a similar issues with symbolic links on Linux and getCanonicalPath(). I think my fix in #816 would also solve this issue.

[FourPee]

I had same issue with install-node-and-npm. I had exctract part of code from DefaultArchiveExtractor::extract() method and try to simulate it in external simple project and the problem is exactly here:

 if (!destPath.getCanonicalPath().startsWith(destinationDirectory)) {
                        throw new IOException("Expanding " + tarEntry.getName() + " would create file outside of " + destinationDirectory);
                     }

File::getCanonocalPath() under Windows returns uppercase drive letter but destinationDirectory is obtained from File::getPath().
Current solution for me is to run maven from commandline with explicity specify path with uppercased drive letter - than maven under windows will run and plugin will work; otherwise it will failed.
Hope solution will be available soon.

[holgerkampffmeyer]

I have the same problem under windows. I would be happy to see a fix. Thanx alot.

[eirslett]

I believe this will be fixed in the next release, which will (hopefully) come before Christmas!

[PriscaMoine]

also waiting for this fix.. thank you in advance !

[tbouron]

Hi @eirslett, any news on when we could expect this to be released? Thank you :)

[eirslett]

It is released now! Version 1.9.0.

[PriscaMoine]

It is released now! Version 1.9.0.

Fix is working for me, thank you !

[tbouron]

It is released now! Version 1.9.0.

@eirslett I can confirm it fixed the problem for me too :)