From fc76f230e5d9a8bd37cbbdda1b38e9e19a1db950 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Wed, 22 Jan 2020 04:24:30 -0500
Subject: [PATCH] Fixes arbitrary file write on fetch

---
 src/fetchers/tarball-fetcher.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/fetchers/tarball-fetcher.js b/src/fetchers/tarball-fetcher.js
index 8d1a452262..c06cc1101e 100644
--- a/src/fetchers/tarball-fetcher.js
+++ b/src/fetchers/tarball-fetcher.js
@@ -136,6 +136,11 @@ export default class TarballFetcher extends BaseFetcher {
       chown: false, // don't chown. just leave as it is
       map: header => {
         header.mtime = now;
+        if (header.linkname) {
+          const basePath = path.posix.dirname(path.join('/', header.name));
+          const jailPath = path.posix.join(basePath, header.linkname);
+          header.linkname = path.posix.relative('/', jailPath);
+        }
         return header;
       },
       fs: patchedFs,