Commit23312ce

committed

drop dirCache for symlink on all platforms

1 parent4f1f4a2 commit23312ceCopy full SHA for 23312ce

File tree

+11

-8

lines changed

+11

-8

lines changed

Lines changed: 7 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -550,13 +550,13 @@ class Unpack extends Parser {`
`550`	`550`	`// then that means we are about to delete the directory we created`
`551`	`551`	`// previously, and it is no longer going to be a directory, and neither`
`552`	`552`	`// is any of its children.`
`553`		`-// If a symbolic link is encountered on Windows, all bets are off.`
`554`		`-//There is noreasonable way to sanitize the cache in such a way`
`555`		`-//we will be able toavoid having filesystem collisions. If this`
`556`		`-//happens with a non-symlinkentry, it'll just fail to unpack,`
`557`		`-//but a symlink to a directory, using an 8.3 shortname, can evade`
`558`		`-//detection and leadto arbitrary writes to anywhere on the system.`
`559`		`-if(isWindows&&entry.type==='SymbolicLink')`
	`553`	`+// If a symbolic link is encountered, all bets are off. There is no`
	`554`	`+// reasonable way to sanitize the cache in such a way we will be able to`
	`555`	`+// avoid having filesystem collisions. If this happens with a non-symlink`
	`556`	`+// entry, it'll just fail to unpack, but a symlink to a directory, using an`
	`557`	`+//8.3 shortname or certain unicode attacks, can evade detection and lead`
	`558`	`+// to arbitrary writes to anywhere on the system.`
	`559`	`+if(entry.type==='SymbolicLink')`
`560`	`560`	`dropCache(this.dirCache)`
`561`	`561`	`elseif(entry.type!=='Directory')`
`562`	`562`	`pruneCache(this.dirCache,entry.absolute)`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -3027,6 +3027,10 @@ t.test('dirCache pruning unicode normalized collisions', {`
`3027`	`3027`	`path:Buffer.from([0x63,0x61,0x66,0x65,0xcc,0x81]).toString(),`
`3028`	`3028`	`linkpath:'foo',`
`3029`	`3029`	`},`
	`3030`	`+{`
	`3031`	`+type:'Directory',`
	`3032`	`+path:'foo',`
	`3033`	`+},`
`3030`	`3034`	`{`
`3031`	`3035`	`type:'File',`
`3032`	`3036`	`path:Buffer.from([0x63,0x61,0x66,0xc3,0xa9]).toString()+'/bar',`
`@@ -3040,7 +3044,6 @@ t.test('dirCache pruning unicode normalized collisions', {`
`3040`	`3044`	`constcheck=(path,dirCache,t)=>{`
`3041`	`3045`	`path=path.replace(/\\/g,'/')`
`3042`	`3046`	`t.strictSame([...dirCache.entries()],[`
`3043`		`-[path,true],`
`3044`	`3047`	[`${path}/foo`,true],
`3045`	`3048`	`])`
`3046`	`3049`	`t.equal(fs.readFileSync(path+'/foo/bar','utf8'),'x')`

Comments

(0)