diff --git a/ProjectSourceCode/node_modules/.package-lock.json b/ProjectSourceCode/node_modules/.package-lock.json index cf42ed4..5c18ef4 100644 --- a/ProjectSourceCode/node_modules/.package-lock.json +++ b/ProjectSourceCode/node_modules/.package-lock.json @@ -4022,8 +4022,9 @@ } }, "node_modules/tar": { - "version": "6.2.0", - "license": "ISC", + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", + "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", "dependencies": { "chownr": "^2.0.0", "fs-minipass": "^2.0.0", diff --git a/ProjectSourceCode/node_modules/tar/README.md b/ProjectSourceCode/node_modules/tar/README.md index 7cb09da..f620568 100644 --- a/ProjectSourceCode/node_modules/tar/README.md +++ b/ProjectSourceCode/node_modules/tar/README.md @@ -115,6 +115,8 @@ Handlers receive 3 arguments: encountered an error which prevented it from being unpacked. This occurs when: - an unrecoverable fs error happens during unpacking, + - an entry is trying to extract into an excessively deep + location (by default, limited to 1024 subfolders), - an entry has `..` in the path and `preservePaths` is not set, or - an entry is extracting through a symbolic link, when `preservePaths` is not set. @@ -427,6 +429,10 @@ The following options are supported: `process.umask()` to determine the default umask value, since tar will extract with whatever mode is provided, and let the process `umask` apply normally. +- `maxDepth` The maximum depth of subfolders to extract into. This + defaults to 1024. Anything deeper than the limit will raise a + warning and skip the entry. Set to `Infinity` to remove the + limitation. The following options are mostly internal, but can be modified in some advanced use cases, such as re-using caches between runs. @@ -749,6 +755,10 @@ Most unpack errors will cause a `warn` event to be emitted. If the `process.umask()` to determine the default umask value, since tar will extract with whatever mode is provided, and let the process `umask` apply normally. +- `maxDepth` The maximum depth of subfolders to extract into. This + defaults to 1024. Anything deeper than the limit will raise a + warning and skip the entry. Set to `Infinity` to remove the + limitation. ### class tar.Unpack.Sync diff --git a/ProjectSourceCode/node_modules/tar/lib/unpack.js b/ProjectSourceCode/node_modules/tar/lib/unpack.js index fa46611..03172e2 100644 --- a/ProjectSourceCode/node_modules/tar/lib/unpack.js +++ b/ProjectSourceCode/node_modules/tar/lib/unpack.js @@ -48,6 +48,7 @@ const crypto = require('crypto') const getFlag = require('./get-write-flag.js') const platform = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform const isWindows = platform === 'win32' +const DEFAULT_MAX_DEPTH = 1024 // Unlinks on Windows are not atomic. // @@ -181,6 +182,12 @@ class Unpack extends Parser { this.processGid = (this.preserveOwner || this.setOwner) && process.getgid ? process.getgid() : null + // prevent excessively deep nesting of subfolders + // set to `Infinity` to remove this restriction + this.maxDepth = typeof opt.maxDepth === 'number' + ? opt.maxDepth + : DEFAULT_MAX_DEPTH + // mostly just for testing, but useful in some cases. // Forcibly trigger a chown on every entry, no matter what this.forceChown = opt.forceChown === true @@ -238,13 +245,13 @@ class Unpack extends Parser { } [CHECKPATH] (entry) { + const p = normPath(entry.path) + const parts = p.split('/') + if (this.strip) { - const parts = normPath(entry.path).split('/') if (parts.length < this.strip) { return false } - entry.path = parts.slice(this.strip).join('/') - if (entry.type === 'Link') { const linkparts = normPath(entry.linkpath).split('/') if (linkparts.length >= this.strip) { @@ -253,11 +260,21 @@ class Unpack extends Parser { return false } } + parts.splice(0, this.strip) + entry.path = parts.join('/') + } + + if (isFinite(this.maxDepth) && parts.length > this.maxDepth) { + this.warn('TAR_ENTRY_ERROR', 'path excessively deep', { + entry, + path: p, + depth: parts.length, + maxDepth: this.maxDepth, + }) + return false } if (!this.preservePaths) { - const p = normPath(entry.path) - const parts = p.split('/') if (parts.includes('..') || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) { this.warn('TAR_ENTRY_ERROR', `path contains '..'`, { entry, diff --git a/ProjectSourceCode/node_modules/tar/package.json b/ProjectSourceCode/node_modules/tar/package.json index 46d91ee..f84a41c 100644 --- a/ProjectSourceCode/node_modules/tar/package.json +++ b/ProjectSourceCode/node_modules/tar/package.json @@ -2,7 +2,7 @@ "author": "GitHub Inc.", "name": "tar", "description": "tar for node", - "version": "6.2.0", + "version": "6.2.1", "repository": { "type": "git", "url": "https://github.com/isaacs/node-tar.git" diff --git a/ProjectSourceCode/package-lock.json b/ProjectSourceCode/package-lock.json index c1fdec3..1e7f570 100644 --- a/ProjectSourceCode/package-lock.json +++ b/ProjectSourceCode/package-lock.json @@ -4044,8 +4044,9 @@ } }, "node_modules/tar": { - "version": "6.2.0", - "license": "ISC", + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", + "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", "dependencies": { "chownr": "^2.0.0", "fs-minipass": "^2.0.0", diff --git a/ProjectSourceCode/test/server.spec.js b/ProjectSourceCode/test/server.spec.js index 86af947..3ebd73f 100644 --- a/ProjectSourceCode/test/server.spec.js +++ b/ProjectSourceCode/test/server.spec.js @@ -36,7 +36,7 @@ describe('Server!', () => { it('positive: /register', done => { // Define mock user data const userData = { - username: 'Vishal Vunnam', + username: 'Vishal', password: '123456' }; // Make a POST request to /register with mock user data