fix: ignore symlink file if it links outside module #8568
Conversation
🦋 Changeset detectedLatest commit: 5eef967 The changes in this PR will be included in the next version bump. This PR includes changesets to release 8 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
✅ Deploy Preview for car-park-attendant-cleat-11576 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
beyondkmp
changed the title
beyondkmp
changed the title
beyondkmp
changed the title
|
|
||
| test.ifDevOrLinuxCi( | ||
| "ignore symlink file if it links outside node_modules", | ||
| app( |
There was a problem hiding this comment.
We already have a test that should be failing if the symlink is outside of the project dir (doesn't need to be a node_module specifically, just any symlinked file)
electron-builder/test/src/globTest.ts
Lines 107 to 125 in cd1e3b0
I don't think we need this "ignore symlink file if it links outside node_modules" test and can instead just reuse the "outside link" test instead
| log.warn({ module: moduleName, file: filePath, resolvedLinkTarget }, `deleting symlink outside module`) | ||
| return null | ||
| } | ||
| } |
There was a problem hiding this comment.
I think this logic needs to be in asarUtil instead of NodeModuleCopyHelper as the symlink outside the project dir can't be allowed for both file assets or node modules.
Let me finish up the electron/asar migration and I can incorporate your changes here into that PR branch
There was a problem hiding this comment.
If it's done in asarUtil, any files linked to other workspaces within the project will all fail. I'm not sure how common this usage pattern is.
There was a problem hiding this comment.
any files linked to other workspaces within the project will all fail
Can you elaborate on this? Are you referring to a two-package.json project structure?
I'm not sure how common this usage pattern is.
It's less so about how common it is and more so about enforcing best practices. For instance, electron/asar already validates making sure symlinks are within the package during asar extraction: https://github.com/electron/asar/blob/464e83436967438c74d8ac184b088fc780706b2d/src/asar.ts#L249-L253
There was a problem hiding this comment.
I think we can close this PR in favor of electron/asar PR #8570 implementation of this symlink logic:
electron-builder/packages/app-builder-lib/src/asar/asarUtil.ts
Lines 101 to 109 in 9fc967e
There was a problem hiding this comment.
Agreeded. I will close it.
If there is a symlink file in some node module that points to
../../../../../../etc/passwd, this would cause the system's passwd file to be packaged along with it.The solution is to restrict symlinks within modules to only link to other files within their directory. Any symlinks pointing outside of this directory will be ignored, and a warning log will be generated.