fix: updater preserves symlinks in tar extraction and repairs CLI symlinks on macOS

PortableSheep · Copilot · PortableSheep · commit c4d12c364fac · 2026-03-03T20:23:02.000-06:00
Two bugs fixed:

1. extractTarGz skipped all symlinks (tar.TypeSymlink → continue). macOS
   .app bundles may contain internal relative symlinks that are critical.
   Now preserves relative symlinks whose targets stay within the extraction
   root, while still rejecting absolute or escaping symlinks for security.

2. refreshCLICopyBestEffort was a no-op on macOS. After the updater
   replaces the .app bundle, the CLI symlink created by install.sh
   (e.g. /usr/local/bin/rawrequest → RawRequest.app/Contents/MacOS/RawRequest)
   could be left broken. Added a darwin implementation that detects and
   repairs broken or stale CLI symlinks in common PATH directories.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/cmd/rawrequest-updater/cli_refresh_darwin.go b/cmd/rawrequest-updater/cli_refresh_darwin.go
@@ -0,0 +1,83 @@
+//go:build darwin
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// refreshCLICopyBestEffort repairs CLI symlinks that may have broken
+// during the app-bundle swap. install.sh creates a symlink such as
+// /usr/local/bin/rawrequest -> /Applications/RawRequest.app/Contents/MacOS/RawRequest.
+// After the updater renames the old .app and moves the new one into place
+// the symlink path is the same, but we verify it actually resolves and
+// recreate it if it doesn't.
+func refreshCLICopyBestEffort(installPath string) {
+	if !strings.HasSuffix(strings.ToLower(installPath), ".app") {
+		return
+	}
+
+	binaryPath := filepath.Join(installPath, "Contents", "MacOS", "RawRequest")
+	if _, err := os.Stat(binaryPath); err != nil {
+		return
+	}
+
+	candidates := cliSymlinkCandidates()
+	for _, linkPath := range candidates {
+		repairCLISymlink(linkPath, binaryPath)
+	}
+}
+
+// cliSymlinkCandidates returns directories where install.sh may have placed
+// a "rawrequest" symlink.
+func cliSymlinkCandidates() []string {
+	paths := []string{
+		"/usr/local/bin/rawrequest",
+		"/opt/homebrew/bin/rawrequest",
+	}
+	if home, err := os.UserHomeDir(); err == nil {
+		paths = append(paths, filepath.Join(home, ".local", "bin", "rawrequest"))
+	}
+	return paths
+}
+
+// repairCLISymlink checks whether linkPath is a symlink whose target is
+// missing or points into a backup .app bundle, and recreates it pointing
+// to targetPath.
+func repairCLISymlink(linkPath, targetPath string) {
+	fi, err := os.Lstat(linkPath)
+	if err != nil {
+		return // doesn't exist
+	}
+	if fi.Mode()&os.ModeSymlink == 0 {
+		return // not a symlink, leave it alone
+	}
+
+	currentTarget, err := os.Readlink(linkPath)
+	if err != nil {
+		return
+	}
+
+	// Already correct.
+	if currentTarget == targetPath {
+		return
+	}
+
+	// If the symlink resolves and doesn't point at a stale backup, leave it.
+	if _, err := os.Stat(linkPath); err == nil && !strings.Contains(currentTarget, ".bak-") {
+		return
+	}
+
+	// Symlink is broken or points at a backup — repair it.
+	fmt.Printf("Repairing CLI symlink %s -> %s\n", linkPath, targetPath)
+	if err := os.Remove(linkPath); err != nil {
+		fmt.Printf("Warning: could not remove old symlink %s: %v\n", linkPath, err)
+		return
+	}
+	if err := os.Symlink(targetPath, linkPath); err != nil {
+		fmt.Printf("Warning: could not create symlink %s -> %s: %v\n", linkPath, targetPath, err)
+	}
+}
diff --git a/cmd/rawrequest-updater/cli_refresh_darwin_test.go b/cmd/rawrequest-updater/cli_refresh_darwin_test.go
@@ -0,0 +1,134 @@
+//go:build darwin
+
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestRepairCLISymlink_FixesBroken(t *testing.T) {
+	tmp := t.TempDir()
+
+	// Simulate the binary inside a new .app bundle.
+	binary := filepath.Join(tmp, "RawRequest.app", "Contents", "MacOS", "RawRequest")
+	if err := os.MkdirAll(filepath.Dir(binary), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(binary, []byte("bin"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a broken symlink (target doesn't exist).
+	linkPath := filepath.Join(tmp, "rawrequest")
+	if err := os.Symlink("/no/such/path/RawRequest", linkPath); err != nil {
+		t.Fatal(err)
+	}
+
+	repairCLISymlink(linkPath, binary)
+
+	got, err := os.Readlink(linkPath)
+	if err != nil {
+		t.Fatalf("readlink after repair: %v", err)
+	}
+	if got != binary {
+		t.Fatalf("expected symlink to point to %s, got %s", binary, got)
+	}
+}
+
+func TestRepairCLISymlink_FixesBackup(t *testing.T) {
+	tmp := t.TempDir()
+
+	// Simulate old backup binary that still exists.
+	oldBinary := filepath.Join(tmp, "RawRequest.app.bak-20260101T000000Z", "Contents", "MacOS", "RawRequest")
+	if err := os.MkdirAll(filepath.Dir(oldBinary), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(oldBinary, []byte("old"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	// Simulate the new binary.
+	newBinary := filepath.Join(tmp, "RawRequest.app", "Contents", "MacOS", "RawRequest")
+	if err := os.MkdirAll(filepath.Dir(newBinary), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(newBinary, []byte("new"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	// Symlink pointing at the old backup (still resolves, but stale).
+	linkPath := filepath.Join(tmp, "rawrequest")
+	if err := os.Symlink(oldBinary, linkPath); err != nil {
+		t.Fatal(err)
+	}
+
+	repairCLISymlink(linkPath, newBinary)
+
+	got, err := os.Readlink(linkPath)
+	if err != nil {
+		t.Fatalf("readlink after repair: %v", err)
+	}
+	if got != newBinary {
+		t.Fatalf("expected symlink to point to %s, got %s", newBinary, got)
+	}
+}
+
+func TestRepairCLISymlink_LeavesCorrectAlone(t *testing.T) {
+	tmp := t.TempDir()
+
+	binary := filepath.Join(tmp, "RawRequest.app", "Contents", "MacOS", "RawRequest")
+	if err := os.MkdirAll(filepath.Dir(binary), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(binary, []byte("bin"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	linkPath := filepath.Join(tmp, "rawrequest")
+	if err := os.Symlink(binary, linkPath); err != nil {
+		t.Fatal(err)
+	}
+
+	repairCLISymlink(linkPath, binary)
+
+	got, err := os.Readlink(linkPath)
+	if err != nil {
+		t.Fatalf("readlink: %v", err)
+	}
+	if got != binary {
+		t.Fatalf("expected %s, got %s", binary, got)
+	}
+}
+
+func TestRepairCLISymlink_SkipsNonSymlink(t *testing.T) {
+	tmp := t.TempDir()
+
+	// Regular file, not a symlink.
+	filePath := filepath.Join(tmp, "rawrequest")
+	if err := os.WriteFile(filePath, []byte("regular"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	repairCLISymlink(filePath, "/some/target")
+
+	// File should remain a regular file, untouched.
+	fi, err := os.Lstat(filePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if fi.Mode()&os.ModeSymlink != 0 {
+		t.Fatal("regular file was turned into a symlink")
+	}
+}
+
+func TestRepairCLISymlink_SkipsNonexistent(t *testing.T) {
+	// Should not panic or error on missing path.
+	repairCLISymlink(filepath.Join(t.TempDir(), "nope"), "/some/target")
+}
+
+func TestRefreshCLICopyBestEffort_NonAppPath(t *testing.T) {
+	// Should be a no-op for non-.app paths.
+	refreshCLICopyBestEffort("/some/plain/directory")
+}
diff --git a/cmd/rawrequest-updater/cli_refresh_stub.go b/cmd/rawrequest-updater/cli_refresh_stub.go
@@ -1,7 +1,6 @@
-//go:build !windows
+//go:build !windows && !darwin
 
 package main
 
-// refreshCLICopyBestEffort is a no-op on non-Windows platforms.
-// On macOS the CLI uses a symlink that survives app bundle replacement.
+// refreshCLICopyBestEffort is a no-op on platforms other than macOS and Windows.
 func refreshCLICopyBestEffort(_ string) {}
diff --git a/cmd/rawrequest-updater/extract_test.go b/cmd/rawrequest-updater/extract_test.go
@@ -0,0 +1,113 @@
+package main
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func createTarGzWithSymlink(t *testing.T, dest string) {
+	t.Helper()
+	f, err := os.Create(dest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	gw := gzip.NewWriter(f)
+	defer gw.Close()
+	tw := tar.NewWriter(gw)
+	defer tw.Close()
+
+	// Directory
+	_ = tw.WriteHeader(&tar.Header{
+		Typeflag: tar.TypeDir,
+		Name:     "App.app/Contents/MacOS/",
+		Mode:     0o755,
+	})
+
+	// Regular file
+	body := []byte("binary-content")
+	_ = tw.WriteHeader(&tar.Header{
+		Typeflag: tar.TypeReg,
+		Name:     "App.app/Contents/MacOS/App",
+		Mode:     0o755,
+		Size:     int64(len(body)),
+	})
+	_, _ = tw.Write(body)
+
+	// Relative symlink inside the bundle (safe)
+	_ = tw.WriteHeader(&tar.Header{
+		Typeflag: tar.TypeSymlink,
+		Name:     "App.app/Contents/MacOS/app-cli",
+		Linkname: "App",
+	})
+
+	// Absolute symlink (should be skipped for security)
+	_ = tw.WriteHeader(&tar.Header{
+		Typeflag: tar.TypeSymlink,
+		Name:     "App.app/Contents/MacOS/evil",
+		Linkname: "/etc/passwd",
+	})
+
+	// Relative symlink escaping root (should be skipped)
+	_ = tw.WriteHeader(&tar.Header{
+		Typeflag: tar.TypeSymlink,
+		Name:     "App.app/Contents/MacOS/escape",
+		Linkname: "../../../../etc/passwd",
+	})
+}
+
+func TestExtractTarGz_PreservesRelativeSymlinks(t *testing.T) {
+	tmp := t.TempDir()
+	archive := filepath.Join(tmp, "test.tar.gz")
+	createTarGzWithSymlink(t, archive)
+
+	dest := filepath.Join(tmp, "extracted")
+	if err := os.MkdirAll(dest, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := extractTarGz(archive, dest); err != nil {
+		t.Fatalf("extractTarGz: %v", err)
+	}
+
+	// Regular file should exist.
+	binaryPath := filepath.Join(dest, "App.app", "Contents", "MacOS", "App")
+	if _, err := os.Stat(binaryPath); err != nil {
+		t.Fatalf("expected binary to exist: %v", err)
+	}
+
+	// Safe relative symlink should exist and resolve.
+	symlinkPath := filepath.Join(dest, "App.app", "Contents", "MacOS", "app-cli")
+	fi, err := os.Lstat(symlinkPath)
+	if err != nil {
+		t.Fatalf("expected safe symlink to exist: %v", err)
+	}
+	if fi.Mode()&os.ModeSymlink == 0 {
+		t.Fatal("expected app-cli to be a symlink")
+	}
+	target, err := os.Readlink(symlinkPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if target != "App" {
+		t.Fatalf("expected symlink target 'App', got %q", target)
+	}
+	// Verify the symlink resolves to the actual binary.
+	if _, err := os.Stat(symlinkPath); err != nil {
+		t.Fatalf("safe symlink should resolve: %v", err)
+	}
+
+	// Absolute symlink should NOT exist (skipped for security).
+	evilPath := filepath.Join(dest, "App.app", "Contents", "MacOS", "evil")
+	if _, err := os.Lstat(evilPath); err == nil {
+		t.Fatal("absolute symlink should have been skipped")
+	}
+
+	// Escaping symlink should NOT exist.
+	escapePath := filepath.Join(dest, "App.app", "Contents", "MacOS", "escape")
+	if _, err := os.Lstat(escapePath); err == nil {
+		t.Fatal("escaping symlink should have been skipped")
+	}
+}
diff --git a/cmd/rawrequest-updater/updater_main.go b/cmd/rawrequest-updater/updater_main.go
@@ -318,7 +318,26 @@ func extractTarGz(src, dest string) error {
 			}
 			out.Close()
 		case tar.TypeSymlink:
-			continue
+			linkTarget := hdr.Linkname
+			// Reject absolute symlink targets for security.
+			if filepath.IsAbs(linkTarget) {
+				continue
+			}
+			// Resolve the full path the symlink would point to and
+			// ensure it stays within the extraction root.
+			resolved := filepath.Clean(filepath.Join(filepath.Dir(target), linkTarget))
+			rel, err := filepath.Rel(dest, resolved)
+			if err != nil || strings.HasPrefix(rel, "..") {
+				continue
+			}
+			if err := os.MkdirAll(filepath.Dir(target), 0o755); err != nil {
+				return err
+			}
+			// Remove any existing entry so os.Symlink doesn't fail.
+			_ = os.Remove(target)
+			if err := os.Symlink(linkTarget, target); err != nil {
+				return err
+			}
 		default:
 			continue
 		}
