Bump fstream to fix hardlink overwriting vulnerability

Fix #212
Fix #213

Author: isaacs

lib/parse.js

@@ -251,10 +251,6 @@ Parse.prototype._startEntry = function (c) {
 
   if (onend) entry.on("end", onend)
 
-  if (entry.type === "File" && this._hardLinks[entry.path]) {
-    ev = "ignoredEntry"
-  }
-
   this._entry = entry
 
   if (entry.type === "Link") {

package.json

@@ -13,7 +13,7 @@
   },
   "dependencies": {
     "block-stream": "*",
-    "fstream": "^1.0.2",
+    "fstream": "^1.0.12",
     "inherits": "2"
   },
   "devDependencies": {

test/link-file-entry-collision.js

@@ -0,0 +1,39 @@
+// Set the umask, so that it works the same everywhere.
+process.umask(parseInt('22', 8))
+
+var tap = require("tap")
+  , tar = require("../tar.js")
+  , fs = require("fs")
+  , path = require("path")
+  , file = path.resolve(__dirname, "link-file-entry-collision/bad-link.tar")
+  , target = path.resolve(__dirname, "tmp/link-file-entry-collision")
+  , index = 0
+  , fstream = require("fstream")
+  , mkdirp = require("mkdirp")
+  , rimraf = require("rimraf")
+
+tap.test("preclean", function (t) {
+  rimraf.sync(target)
+  t.pass("cleaned!")
+  t.end()
+})
+
+tap.test("extract test", function (t) {
+  var extract = tar.Extract(target)
+  var inp = fs.createReadStream(file)
+  inp.pipe(extract)
+
+  extract.on("end", function () {
+    t.equal(fs.readFileSync(target + "/bad-link-target", "utf8"),
+      "this should remain the same\n")
+    t.equal(fs.readFileSync(target + "/a.txt", "utf8"),
+      "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
+    t.end()
+  })
+})
+
+tap.test("cleanup", function (t) {
+  rimraf.sync(target)
+  t.pass("cleaned!")
+  t.end()
+})

test/link-file-entry-collision/bad-link.hex

@@ -0,0 +1,25 @@
+-- header for the link target --
+6261642d6c696e6b2d74617267657400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030303037363520003030303032342000303030303030303030333420313334363636353530353620303134333731002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # bad-link-target.....................................................................................000644..000765..000024..00000000034.13466655056.014371..0...................................................................................................
+00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # .ustar.00isaacs..........................staff...........................000000..000000.........................................................................................................................................................................
+
+-- link target file contents (should not be overwritten) --
+746869732073686f756c642072656d61696e207468652073616d650a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # this.should.remain.the.same.....................................................................................................................................................................................................................................
+00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # ................................................................................................................................................................................................................................................................
+
+-- header for the link named a.txt --
+612e74787400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003030303634342000303030373635200030303030323420003030303030303030303030203133343636363535303536203031353334320020316261642d6c696e6b2d746172676574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # a.txt...............................................................................................000644..000765..000024..00000000000.13466655056.015342..1bad-link-target....................................................................................
+00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # .ustar.00isaacs..........................staff...........................000000..000000.........................................................................................................................................................................
+
+-- header for file entry which attempts to overwrite the link --
+612e7478740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030353737363120003030303032342000303030303030303034303120313136353133363033333320303132343531002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # a.txt...............................................................................................000644..057761..000024..00000000401.11651360333.012451..0...................................................................................................
+00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # .ustar.00isaacs..........................staff...........................000000..000000.........................................................................................................................................................................
+
+-- contents that threaten to overwrite the link target --
+61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161  # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+61000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # a...............................................................................................................................................................................................................................................................
+
+-- tar eof --
+00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # ................................................................................................................................................................................................................................................................
+00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # ................................................................................................................................................................................................................................................................
+00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # ................................................................................................................................................................................................................................................................
+00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  # ................................................................................................................................................................................................................................................................