fix(unpack): improve UnpackSync symlink error "into" path accuracy

scumfrog · isaacs · commit 2cb1120bcefe · 2026-02-15T16:13:16.000-08:00
UnpackSync[ENSURE_NO_SYMLINK] previously constructed SymlinkError's
"into" path using the full original linkpath parts array, which could
produce misleading diagnostics.

Build the "into" path from the original `cwd` value and the `parts`
list.
diff --git a/src/unpack.ts b/src/unpack.ts
@@ -1161,7 +1161,7 @@ export class UnpackSync extends Unpack {
       if (er) return done()
       if (st.isSymbolicLink()) {
         return onError(
-          new SymlinkError(t, path.resolve(t, parts.join('/'))),
+          new SymlinkError(t, path.resolve(cwd, parts.join('/'))),
         )
       }
     }
diff --git a/test/pack.js b/test/pack.js
@@ -94,8 +94,8 @@ t.test('pack a file', t => {
 
       t.equal(sync.subarray(512).length, data.subarray(512).length)
       t.equal(
-        (sync.subarray(512).toString()),
-        (data.subarray(512).toString()),
+        sync.subarray(512).toString(),
+        data.subarray(512).toString(),
       )
       const hs = new Header(sync)
       t.match(hs, expect)
diff --git a/test/unpack.js b/test/unpack.js
@@ -3317,7 +3317,11 @@ t.test('ignore self-referential hardlinks', async t => {
   ])
   const check = (t, warnings) => {
     t.matchSnapshot(warnings)
-    t.strictSame(fs.readdirSync(t.testdirName), [], 'nothing extracted')
+    t.strictSame(
+      fs.readdirSync(t.testdirName),
+      [],
+      'nothing extracted',
+    )
     t.end()
   }
   t.test('async', t => {
@@ -3450,10 +3454,11 @@ t.test('no linking through a symlink', t => {
         '',
         '',
       ])
-      const setup = t =>  t.testdir({
-        x: {},
-        'exploited-file': 'original content',
-      })
+      const setup = t =>
+        t.testdir({
+          x: {},
+          'exploited-file': 'original content',
+        })
       const check = t => {
         fs.writeFileSync(t.testdirName + '/x/exploit', 'pwned')
         t.equal(
@@ -3463,20 +3468,38 @@ t.test('no linking through a symlink', t => {
       }
       t.test('sync', t => {
         const cwd = setup(t)
-        t.throws(() => {
-          new UnpackSync({ cwd, strict: true }).end(exploit)
-        })
+        t.throws(
+          () => {
+            new UnpackSync({ cwd, strict: true }).end(exploit)
+          },
+          {
+            name: 'SymlinkError',
+            message: /^TAR_SYMLINK_ERROR/,
+            path: /a.b.escape.exploited-file$/,
+            symlink: /a.b.escape$/,
+          },
+        )
         check(t)
         t.end()
       })
       t.test('async', async t => {
         const cwd = setup(t)
-        await t.rejects(new Promise((res, rej) => {
-          new Unpack({ cwd, strict: true })
-            .on('finish', res)
-            .on('error', rej)
-            .end(exploit)
-        }))
+        await t.rejects(
+          new Promise(
+            (res, rej) => {
+              new Unpack({ cwd, strict: true })
+                .on('finish', res)
+                .on('error', rej)
+                .end(exploit)
+            },
+            {
+              name: 'SymlinkError',
+              message: /^TAR_SYMLINK_ERROR/,
+              path: /a.b.escape.exploited-file$/,
+              symlink: /a.b.escape$/,
+            },
+          ),
+        )
         check(t)
       })
       t.end()

Original file line number	Diff line number	Diff line change
`@@ -1161,7 +1161,7 @@ export class UnpackSync extends Unpack {`
`1161`	`1161`	`if (er) return done()`
`1162`	`1162`	`if (st.isSymbolicLink()) {`
`1163`	`1163`	`return onError(`
`1164`		`- new SymlinkError(t, path.resolve(t, parts.join('/'))),`
	`1164`	`+ new SymlinkError(t, path.resolve(cwd, parts.join('/'))),`
`1165`	`1165`	`)`
`1166`	`1166`	`}`
`1167`	`1167`	`}`