fix(cp): improve symlink validation for cross-platform and relative paths

rgarcia · rgarcia · commit 068aedc0d5e9 · 2025-12-23T04:43:49.000Z
- Use path.posix.isAbsolute to detect Unix absolute paths on Windows
- Replace overly restrictive '..' check with proper containment check
- Resolve symlink target relative to symlink's parent directory
- Handle root destination path as special case
diff --git a/src/lib/cp.ts b/src/lib/cp.ts
@@ -411,11 +411,26 @@ export async function cpFromInstance(cfg: CpConfig, opts: CpFromInstanceOptions)
                 }
                 // Validate symlink target
                 const linkTarget = currentHeader.link_target;
-                if (path.isAbsolute(linkTarget) || path.normalize(linkTarget).startsWith('..')) {
-                  doReject(new Error(`Invalid symlink target: ${linkTarget}`));
+                // Use path.posix.isAbsolute to detect Unix absolute paths even on Windows
+                if (path.posix.isAbsolute(linkTarget) || path.isAbsolute(linkTarget)) {
+                  doReject(new Error(`Invalid symlink target (absolute path): ${linkTarget}`));
                   ws.close();
                   return;
                 }
+                // Check if the symlink target escapes the destination directory
+                // Resolve relative to the symlink's parent directory
+                const linkDir = path.dirname(targetPath);
+                const resolvedTarget = path.resolve(linkDir, linkTarget);
+                const dstPathNorm = path.resolve(opts.dstPath);
+                // For root destination, just ensure resolved target is absolute
+                // For other destinations, ensure resolved target is within dstPath
+                if (dstPathNorm !== '/' && dstPathNorm !== path.sep) {
+                  if (!resolvedTarget.startsWith(dstPathNorm + path.sep) && resolvedTarget !== dstPathNorm) {
+                    doReject(new Error(`Invalid symlink target (escapes destination): ${linkTarget}`));
+                    ws.close();
+                    return;
+                  }
+                }
                 // Create parent directory if needed
                 fs.mkdirSync(path.dirname(targetPath), { recursive: true });
                 try {
