Skip to content

Commit

Permalink
Bump fstream to fix hardlink overwriting vulnerability
Browse files Browse the repository at this point in the history
Fix #212
Fix #213
  • Loading branch information
isaacs committed May 15, 2019
1 parent 9fc84b9 commit 7ecef07
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 5 deletions.
4 changes: 0 additions & 4 deletions lib/parse.js
Original file line number Diff line number Diff line change
Expand Up @@ -251,10 +251,6 @@ Parse.prototype._startEntry = function (c) {

if (onend) entry.on("end", onend)

if (entry.type === "File" && this._hardLinks[entry.path]) {
ev = "ignoredEntry"
}

this._entry = entry

if (entry.type === "Link") {
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
},
"dependencies": {
"block-stream": "*",
"fstream": "^1.0.2",
"fstream": "^1.0.12",
"inherits": "2"
},
"devDependencies": {
Expand Down
39 changes: 39 additions & 0 deletions test/link-file-entry-collision.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// Set the umask, so that it works the same everywhere.
process.umask(parseInt('22', 8))

var tap = require("tap")
, tar = require("../tar.js")
, fs = require("fs")
, path = require("path")
, file = path.resolve(__dirname, "link-file-entry-collision/bad-link.tar")
, target = path.resolve(__dirname, "tmp/link-file-entry-collision")
, index = 0
, fstream = require("fstream")
, mkdirp = require("mkdirp")
, rimraf = require("rimraf")

tap.test("preclean", function (t) {
rimraf.sync(target)
t.pass("cleaned!")
t.end()
})

tap.test("extract test", function (t) {
var extract = tar.Extract(target)
var inp = fs.createReadStream(file)
inp.pipe(extract)

extract.on("end", function () {
t.equal(fs.readFileSync(target + "/bad-link-target", "utf8"),
"this should remain the same\n")
t.equal(fs.readFileSync(target + "/a.txt", "utf8"),
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
t.end()
})
})

tap.test("cleanup", function (t) {
rimraf.sync(target)
t.pass("cleaned!")
t.end()
})
25 changes: 25 additions & 0 deletions test/link-file-entry-collision/bad-link.hex
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-- header for the link target --
6261642d6c696e6b2d74617267657400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030303037363520003030303032342000303030303030303030333420313334363636353530353620303134333731002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # bad-link-target.....................................................................................000644..000765..000024..00000000034.13466655056.014371..0...................................................................................................
00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000.........................................................................................................................................................................

-- link target file contents (should not be overwritten) --
746869732073686f756c642072656d61696e207468652073616d650a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # this.should.remain.the.same.....................................................................................................................................................................................................................................
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................

-- header for the link named a.txt --
612e74787400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003030303634342000303030373635200030303030323420003030303030303030303030203133343636363535303536203031353334320020316261642d6c696e6b2d746172676574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a.txt...............................................................................................000644..000765..000024..00000000000.13466655056.015342..1bad-link-target....................................................................................
00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000.........................................................................................................................................................................

-- header for file entry which attempts to overwrite the link --
612e7478740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030353737363120003030303032342000303030303030303034303120313136353133363033333320303132343531002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a.txt...............................................................................................000644..057761..000024..00000000401.11651360333.012451..0...................................................................................................
00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000.........................................................................................................................................................................

-- contents that threaten to overwrite the link target --
61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
61000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a...............................................................................................................................................................................................................................................................

-- tar eof --
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................
Binary file added test/link-file-entry-collision/bad-link.tar
Binary file not shown.

0 comments on commit 7ecef07

Please sign in to comment.