From 7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d Mon Sep 17 00:00:00 2001 From: isaacs Date: Tue, 14 May 2019 17:43:20 -0700 Subject: [PATCH] Bump fstream to fix hardlink overwriting vulnerability Fix #212 Fix #213 --- lib/parse.js | 4 -- package.json | 2 +- test/link-file-entry-collision.js | 39 ++++++++++++++++++++ test/link-file-entry-collision/bad-link.hex | 25 +++++++++++++ test/link-file-entry-collision/bad-link.tar | Bin 0 -> 3584 bytes 5 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 test/link-file-entry-collision.js create mode 100644 test/link-file-entry-collision/bad-link.hex create mode 100644 test/link-file-entry-collision/bad-link.tar diff --git a/lib/parse.js b/lib/parse.js index e8d007ba..1c66ebda 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -251,10 +251,6 @@ Parse.prototype._startEntry = function (c) { if (onend) entry.on("end", onend) - if (entry.type === "File" && this._hardLinks[entry.path]) { - ev = "ignoredEntry" - } - this._entry = entry if (entry.type === "Link") { diff --git a/package.json b/package.json index c5b999b1..a338e117 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ }, "dependencies": { "block-stream": "*", - "fstream": "^1.0.2", + "fstream": "^1.0.12", "inherits": "2" }, "devDependencies": { diff --git a/test/link-file-entry-collision.js b/test/link-file-entry-collision.js new file mode 100644 index 00000000..cb3e2d5e --- /dev/null +++ b/test/link-file-entry-collision.js @@ -0,0 +1,39 @@ +// Set the umask, so that it works the same everywhere. +process.umask(parseInt('22', 8)) + +var tap = require("tap") + , tar = require("../tar.js") + , fs = require("fs") + , path = require("path") + , file = path.resolve(__dirname, "link-file-entry-collision/bad-link.tar") + , target = path.resolve(__dirname, "tmp/link-file-entry-collision") + , index = 0 + , fstream = require("fstream") + , mkdirp = require("mkdirp") + , rimraf = require("rimraf") + +tap.test("preclean", function (t) { + rimraf.sync(target) + t.pass("cleaned!") + t.end() +}) + +tap.test("extract test", function (t) { + var extract = tar.Extract(target) + var inp = fs.createReadStream(file) + inp.pipe(extract) + + extract.on("end", function () { + t.equal(fs.readFileSync(target + "/bad-link-target", "utf8"), + "this should remain the same\n") + t.equal(fs.readFileSync(target + "/a.txt", "utf8"), + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") + t.end() + }) +}) + +tap.test("cleanup", function (t) { + rimraf.sync(target) + t.pass("cleaned!") + t.end() +}) diff --git a/test/link-file-entry-collision/bad-link.hex b/test/link-file-entry-collision/bad-link.hex new file mode 100644 index 00000000..99f5db0d --- /dev/null +++ b/test/link-file-entry-collision/bad-link.hex @@ -0,0 +1,25 @@ +-- header for the link target -- +6261642d6c696e6b2d74617267657400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030303037363520003030303032342000303030303030303030333420313334363636353530353620303134333731002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # bad-link-target.....................................................................................000644..000765..000024..00000000034.13466655056.014371..0................................................................................................... +00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000......................................................................................................................................................................... + +-- link target file contents (should not be overwritten) -- +746869732073686f756c642072656d61696e207468652073616d650a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # this.should.remain.the.same..................................................................................................................................................................................................................................... +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ + +-- header for the link named a.txt -- +612e74787400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003030303634342000303030373635200030303030323420003030303030303030303030203133343636363535303536203031353334320020316261642d6c696e6b2d746172676574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a.txt...............................................................................................000644..000765..000024..00000000000.13466655056.015342..1bad-link-target.................................................................................... +00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000......................................................................................................................................................................... + +-- header for file entry which attempts to overwrite the link -- +612e7478740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030353737363120003030303032342000303030303030303034303120313136353133363033333320303132343531002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a.txt...............................................................................................000644..057761..000024..00000000401.11651360333.012451..0................................................................................................... +00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000......................................................................................................................................................................... + +-- contents that threaten to overwrite the link target -- +61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +61000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a............................................................................................................................................................................................................................................................... + +-- tar eof -- +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ diff --git a/test/link-file-entry-collision/bad-link.tar b/test/link-file-entry-collision/bad-link.tar new file mode 100644 index 0000000000000000000000000000000000000000..be0b0d2f73a2cdca26771554090aca269bfcfc69 GIT binary patch literal 3584 zcmeHH+X{m)4E1?mksoj*wvFFYr%stVuod?C3-dvyu%}f7o0r^5I638{uw~k{!z1-} zyjMO6VTj0DLn1zB^YNI?xs=3|22z@tjX}eJq*YD{UmvH zFX<+lH<_11giZgT1>dv|T=Sf|62_{x?Et>1z}ddK929bd^+yKm)xW~1egP@c_^p4@ z%eVfG(pdsj>~Ne;uK!*C-{d*d_Wo-mAYwy`Q7I+&Khq}O|3yFnBYSoW$ZZ@Q8Hfx- I29C_Y8xFy>h5!Hn literal 0 HcmV?d00001