fix: prevent symlink path traversal via pre-existing symlinks during tar extraction

Add isRealPathSafe() that walks each path segment using lstat to detect
when a pre-existing symlink on disk would cause a file write outside the
extraction directory. This mitigates GHSA-4c3q-x735-j3r5 where a
crafted tar with ordered entries (symlink then file through that symlink)
could escape the destination.

Also extracts createTarBuffer helper to shared test/util.js.

Closes GHSA-4c3q-x735-j3r5

Author: fengmk2

lib/utils.js

@@ -21,6 +21,63 @@ function isPathWithinParent(childPath, parentPath) {
          normalizedChild.startsWith(parentWithSep);
 }
 
+/**
+ * Check if the real filesystem path stays within parentDir,
+ * accounting for pre-existing symlinks on disk.
+ * Walks each path segment from parentDir to targetPath using lstat.
+ * If any segment is a symlink, resolves it and verifies it stays within parentDir.
+ * @param {string} targetPath - Absolute path to validate
+ * @param {string} parentDir - Absolute path of the extraction root
+ * @param {string} realParentDir - Pre-resolved real path of parentDir (handles OS-level symlinks like /var -> /private/var on macOS)
+ * @param {function} callback - callback(err, safe)
+ */
+function isRealPathSafe(targetPath, parentDir, realParentDir, callback) {
+  function isWithinParent(p) {
+    return isPathWithinParent(p, parentDir) || isPathWithinParent(p, realParentDir);
+  }
+
+  var relative = path.relative(parentDir, targetPath);
+  var segments = relative.split(path.sep);
+  var i = 0;
+  var current = parentDir;
+
+  function checkNext() {
+    if (i >= segments.length) return callback(null, true);
+    var segment = segments[i++];
+    if (!segment || segment === '.') return checkNext();
+
+    current = path.join(current, segment);
+    fs.lstat(current, function(err, stat) {
+      if (err) {
+        if (err.code === 'ENOENT') return callback(null, true); // doesn't exist yet, safe
+        // Fail closed: unexpected filesystem errors are unsafe
+        return callback(null, false);
+      }
+      if (!stat.isSymbolicLink()) return checkNext();
+
+      fs.realpath(current, function(err, resolved) {
+        if (err) {
+          if (err.code === 'ENOENT') {
+            // Dangling symlink - check textual target
+            return fs.readlink(current, function(err, linkTarget) {
+              if (err) return callback(null, false);
+              var absTarget = path.resolve(path.dirname(current), linkTarget);
+              callback(null, isWithinParent(absTarget));
+            });
+          }
+          // Fail closed: unexpected errors during symlink resolution are unsafe
+          return callback(null, false);
+        }
+        if (!isWithinParent(resolved)) return callback(null, false);
+        current = resolved;
+        checkNext();
+      });
+    });
+  }
+
+  checkNext();
+}
+
 // file/fileBuffer/stream
 exports.sourceType = source => {
   if (!source) return undefined;
@@ -112,74 +169,99 @@ exports.makeUncompressFn = StreamClass => {
         // Resolve destDir to absolute path for security validation
         const resolvedDestDir = path.resolve(destDir);
 
-        let entryCount = 0;
-        let successCount = 0;
-        let isFinish = false;
-        function done() {
-          // resolve when both stream finish and file write finish
-          if (isFinish && entryCount === successCount) resolve();
-        }
-
-        new StreamClass(opts)
-          .on('finish', () => {
-            isFinish = true;
-            done();
-          })
-          .on('error', reject)
-          .on('entry', (header, stream, next) => {
-            stream.on('end', next);
-            const destFilePath = path.join(resolvedDestDir, header.name);
-            const resolvedDestPath = path.resolve(destFilePath);
-
-            // Security: Validate that the entry path doesn't escape the destination directory
-            if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
-              console.warn(`[compressing] Skipping entry with path traversal: "${header.name}" -> "${resolvedDestPath}"`);
-              stream.resume();
-              return;
-            }
-
-            if (header.type === 'file') {
-              const dir = path.dirname(destFilePath);
-              mkdirp(dir, err => {
-                if (err) return reject(err);
-
-                entryCount++;
-                pump(stream, fs.createWriteStream(destFilePath, { mode: opts.mode || header.mode }), err => {
-                  if (err) return reject(err);
-                  successCount++;
-                  done();
-                });
-              });
-            } else if (header.type === 'symlink') {
-              const dir = path.dirname(destFilePath);
-              const target = path.resolve(dir, header.linkname);
-
-              // Security: Validate that the symlink target doesn't escape the destination directory
-              if (!isPathWithinParent(target, resolvedDestDir)) {
-                console.warn(`[compressing] Skipping symlink "${header.name}": target "${target}" escapes extraction directory`);
+        // Resolve once for the entire extraction to handle OS-level symlinks
+        // (e.g. /var -> /private/var on macOS)
+        let realDestDir = resolvedDestDir;
+        fs.realpath(resolvedDestDir, (err, resolved) => {
+          if (!err) realDestDir = resolved;
+
+          let entryCount = 0;
+          let successCount = 0;
+          let isFinish = false;
+          function done() {
+            // resolve when both stream finish and file write finish
+            if (isFinish && entryCount === successCount) resolve();
+          }
+
+          new StreamClass(opts)
+            .on('finish', () => {
+              isFinish = true;
+              done();
+            })
+            .on('error', reject)
+            .on('entry', (header, stream, next) => {
+              stream.on('end', next);
+              const destFilePath = path.join(resolvedDestDir, header.name);
+              const resolvedDestPath = path.resolve(destFilePath);
+
+              // Security: Validate that the entry path doesn't escape the destination directory
+              if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
+                console.warn('[compressing] Skipping entry with path traversal: "' + header.name + '" -> "' + resolvedDestPath + '"');
                 stream.resume();
                 return;
               }
 
-              entryCount++;
-
-              mkdirp(dir, err => {
-                if (err) return reject(err);
-
-                const relativeTarget = path.relative(dir, target);
-                fs.symlink(relativeTarget, destFilePath, err => {
-                  if (err) return reject(err);
-                  successCount++;
+              // Security: Validate no pre-existing symlink in the path escapes the extraction directory
+              isRealPathSafe(resolvedDestPath, resolvedDestDir, realDestDir, (err, safe) => {
+                if (err || !safe) {
+                  console.warn('[compressing] Skipping entry "' + header.name + '": a symlink in its path resolves outside the extraction directory');
                   stream.resume();
-                });
-              });
-            } else { // directory
-              mkdirp(destFilePath, err => {
-                if (err) return reject(err);
-                stream.resume();
+                  return;
+                }
+
+                if (header.type === 'file') {
+                  const dir = path.dirname(destFilePath);
+                  mkdirp(dir, err => {
+                    if (err) return reject(err);
+
+                    entryCount++;
+                    pump(stream, fs.createWriteStream(destFilePath, { mode: opts.mode || header.mode }), err => {
+                      if (err) return reject(err);
+                      successCount++;
+                      done();
+                    });
+                  });
+                } else if (header.type === 'symlink') {
+                  const dir = path.dirname(destFilePath);
+                  const target = path.resolve(dir, header.linkname);
+
+                  // Security: Validate that the symlink target doesn't escape the destination directory
+                  if (!isPathWithinParent(target, resolvedDestDir)) {
+                    console.warn('[compressing] Skipping symlink "' + header.name + '": target "' + target + '" escapes extraction directory');
+                    stream.resume();
+                    return;
+                  }
+
+                  // Security: Validate no pre-existing symlink in the target path escapes the extraction directory
+                  isRealPathSafe(target, resolvedDestDir, realDestDir, (err, targetSafe) => {
+                    if (err || !targetSafe) {
+                      console.warn('[compressing] Skipping symlink "' + header.name + '": target resolves outside extraction directory via existing symlink');
+                      stream.resume();
+                      return;
+                    }
+
+                    entryCount++;
+
+                    mkdirp(dir, err => {
+                      if (err) return reject(err);
+
+                      const relativeTarget = path.relative(dir, target);
+                      fs.symlink(relativeTarget, destFilePath, err => {
+                        if (err) return reject(err);
+                        successCount++;
+                        stream.resume();
+                      });
+                    });
+                  });
+                } else { // directory
+                  mkdirp(destFilePath, err => {
+                    if (err) return reject(err);
+                    stream.resume();
+                  });
+                }
               });
-            }
-          });
+            });
+        });
       });
     });
   };