From a9595bad3ed7fd5624a167bab00f1340e25846ed Mon Sep 17 00:00:00 2001 From: David Sherret Date: Tue, 13 Jun 2023 09:48:13 -0400 Subject: [PATCH] fix(npm): warn when tarball contains hardlink or symlink (#19474) This is to help us get some visibility into whether we need to support this. --- cli/npm/tarball.rs | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/cli/npm/tarball.rs b/cli/npm/tarball.rs index ce1ac33395..18a5556716 100644 --- a/cli/npm/tarball.rs +++ b/cli/npm/tarball.rs @@ -107,8 +107,26 @@ fn extract_tarball(data: &[u8], output_folder: &Path) -> Result<(), AnyError> { ) } } - if entry.header().entry_type() == EntryType::Regular { - entry.unpack(&absolute_path)?; + + let entry_type = entry.header().entry_type(); + match entry_type { + EntryType::Regular => { + entry.unpack(&absolute_path)?; + } + EntryType::Symlink | EntryType::Link => { + // At the moment, npm doesn't seem to support uploading hardlinks or + // symlinks to the npm registry. If ever adding symlink or hardlink + // support, we will need to validate that the hardlink and symlink + // target are within the package directory. + log::warn!( + "Ignoring npm tarball entry type {:?} for '{}'", + entry_type, + absolute_path.display() + ) + } + _ => { + // ignore + } } } Ok(())