From 4f7abe9af87ad233343ea7d1181de016c43dd358 Mon Sep 17 00:00:00 2001
From: Samuel Attard <sam@electronjs.org>
Date: Mon, 9 Sep 2024 18:47:07 -0700
Subject: [PATCH] fix: ensure symlinks do not write unexpectedly (#322)

* fix: ensure symlinks do not write unexpectedly

* update spec name:
---
 src/asar.ts                 |   8 ++++++++
 test/api-spec.js            |   5 +++++
 test/input/bad-symlink.asar | Bin 0 -> 339 bytes
 3 files changed, 13 insertions(+)
 create mode 100644 test/input/bad-symlink.asar

diff --git a/src/asar.ts b/src/asar.ts
index 08f8052..bd0f7aa 100644
--- a/src/asar.ts
+++ b/src/asar.ts
@@ -221,6 +221,9 @@ export function extractAll(archivePath: string, dest: string) {
     const filename = fullPath.substr(1);
     const destFilename = path.join(dest, filename);
     const file = filesystem.getFile(filename, followLinks);
+    if (path.relative(dest, destFilename).startsWith('..')) {
+      throw new Error(`${fullPath}: file "${destFilename}" writes out of the package`);
+    }
     if ('files' in file) {
       // it's a directory, create it and continue with the next entry
       fs.mkdirpSync(destFilename);
@@ -234,6 +237,11 @@ export function extractAll(archivePath: string, dest: string) {
         fs.unlinkSync(destFilename);
       } catch {}
       const linkTo = path.join(relativePath, path.basename(file.link));
+      if (path.relative(dest, linkSrcPath).startsWith('..')) {
+        throw new Error(
+          `${fullPath}: file "${file.link}" links out of the package to "${linkSrcPath}"`,
+        );
+      }
       fs.symlinkSync(linkTo, destFilename);
     } else {
       // it's a file, try to extract it
diff --git a/test/api-spec.js b/test/api-spec.js
index 9b227b2..db01989 100644
--- a/test/api-spec.js
+++ b/test/api-spec.js
@@ -119,6 +119,11 @@ describe('api', function () {
       'test/input/packthis-with-symlink/real.txt',
     );
   });
+  it('should not extract an archive with a bad symlink', async () => {
+    assert.throws(() => {
+      asar.extractAll('test/input/bad-symlink.asar', 'tmp/bad-symlink/');
+    });
+  });
   it('should handle multibyte characters in paths', async () => {
     await asar.createPackageWithOptions(
       'test/input/packthis-unicode-path/',
diff --git a/test/input/bad-symlink.asar b/test/input/bad-symlink.asar
new file mode 100644
index 0000000000000000000000000000000000000000..25a4ce6cf12dace9fa351ead2c5e10e788c351c5
GIT binary patch
literal 339
zcmbtPOKZb04EA8B{S2K$8#{jHw80L$cem1mlgf=rnuOYHY^DEwN-3rH2?@PEeUhFT
zWA9Ily^_^rX9#h?1oas{G3CV%aqOXn)oT5y^C^D$jO%=y;Zi`pf$!7v_lWytJjGvx
z+7vK_kdPRmgaYE2@o<XyXMy<PFj3qcsk!-h6G{`J^Qogem{7UktoO!Lm6Be%Qdv~o
zabYZPtkzDJt`$}(9(>a{#ak_`utuZMl9-xdYWvOg49T6WN_nf%o7?{{*j=u|Sm)aw
G_b-1e%UtgO

literal 0
HcmV?d00001