fpsqdb
diff --git a/‎src/fs.ts‎
Lines changed: 89 additions & 7 deletions b/‎src/fs.ts‎
Lines changed: 89 additions & 7 deletions
diff --git a/‎src/unzip.ts‎
Lines changed: 26 additions & 2 deletions b/‎src/unzip.ts‎
Lines changed: 26 additions & 2 deletions
diff --git a/‎test/src/unzipArbitraryFileWrite.ts‎
Lines changed: 68 additions & 3 deletions b/‎test/src/unzipArbitraryFileWrite.ts‎
Lines changed: 68 additions & 3 deletions
diff --git a/‎test/unzipResources/arbitrary_write/output1.zip‎
119 Bytes b/‎test/unzipResources/arbitrary_write/output1.zip‎
119 Bytes
diff --git a/‎test/unzipResources/arbitrary_write/output2.zip‎
148 Bytes b/‎test/unzipResources/arbitrary_write/output2.zip‎
148 Bytes
diff --git a/‎test/unzipResources/arbitrary_write/output3.zip‎
145 Bytes b/‎test/unzipResources/arbitrary_write/output3.zip‎
145 Bytes
@@ -65,13 +65,21 @@ export async function getFileEntry(target: string): Promise<FileEntry> {
     };
 }
 
-export async function ensureFolder(folder: string): Promise<void> {
+export async function ensureFolder(folder: string): Promise<{
+    isDirectory: boolean,
+    isSymbolicLink: boolean,
+    realpath?: string,
+}> {
     // stop at root
     if (folder === path.dirname(folder)) {
-        return Promise.resolve();
+        return Promise.resolve({
+            isDirectory: true,
+            isSymbolicLink: false
+        });
     }
     try {
-        await mkdir(folder);
+        const result = await mkdir(folder);
+        return result;
     } catch (error) {
         // ENOENT: a parent folder does not exist yet, continue
         // to create the parent folder and then try again.
@@ -125,9 +133,17 @@ export async function rimraf(target: string): Promise<void> {
     }
 }
 
-async function mkdir(folder: string): Promise<void> {
+async function mkdir(folder: string): Promise<{
+    isDirectory: boolean,
+    isSymbolicLink: boolean,
+    realpath?: string,
+}> {
     try {
         await fs.mkdir(folder, 0o777);
+        return {
+            isDirectory: true,
+            isSymbolicLink: false,
+        };
     } catch (error) {
         // ENOENT: a parent folder does not exist yet or folder name is invalid.
         if (error.code === "ENOENT") {
@@ -136,14 +152,80 @@ async function mkdir(folder: string): Promise<void> {
         // Any other error: check if folder exists and
         // return normally in that case if its a folder
         try {
-            const fileStat = await fs.stat(folder);
-            if (!fileStat.isDirectory()) {
-                return Promise.reject(new Error(`"${folder}" exists and is not a directory.`));
+            const fileStat = await fs.lstat(folder);
+            if (fileStat.isSymbolicLink()) {
+                const realFilePath = await realpath(folder);
+                const realFileStat = await fs.lstat(realFilePath);
+                if (!realFileStat.isDirectory()) {
+                    return Promise.reject(new Error(`"${folder}" exists and is not a directory.`));
+                }
+                return {
+                    isDirectory: false,
+                    isSymbolicLink: true,
+                    realpath: realFilePath,
+                }
+            } else {
+                if (!fileStat.isDirectory()) {
+                    return Promise.reject(new Error(`"${folder}" exists and is not a directory.`));
+                }
+                return {
+                    isDirectory: true,
+                    isSymbolicLink: false,
+                }
             }
         } catch (statError) {
             throw error; // rethrow original error
         }
     }
+
+    // // Any other error: check if folder exists and
+    // // return normally in that case if its a folder
+    // try {
+    //     if (folder.includes("dirlink")) {
+    //         console.log("tttttt11111", folder);
+    //     }
+    //     const fileStat = await fs.lstat(folder);
+    //     if (folder.includes("dirlink")) {
+    //         console.log("tttttt22222", fileStat);
+    //     }
+    //     if (fileStat.isSymbolicLink()) {
+    //         console.log("kkkkkkkkk", fileStat);
+    //         const realFilePath = await realpath(folder);
+    //         const realFileStat = await fs.lstat(realFilePath);
+    //         if (!realFileStat.isDirectory()) {
+    //             return Promise.reject(new Error(`"${folder}" exists and is not a directory.`));
+    //         }
+    //         return {
+    //             isDirectory: false,
+    //             isSymbolicLink: true,
+    //             realpath: realFilePath,
+    //         }
+    //     } else {
+    //         if (!fileStat.isDirectory()) {
+    //             return Promise.reject(new Error(`"${folder}" exists and is not a directory.`));
+    //         }
+    //         return {
+    //             isDirectory: true,
+    //             isSymbolicLink: false,
+    //         }
+    //     }
+    // } catch (statError) {
+    //     if (folder.includes("dirlink")) {
+    //         console.log("yyyyy", statError);
+    //     }
+    //     // ignore
+    // }
+    // if (folder.includes("dirlink")) {
+    //     console.log("kkkkkkkkk22222", folder);
+    // }
+    // await fs.mkdir(folder, { recursive: true, mode: 0o777 });
+    // if (folder.includes("dirlink")) {
+    //     console.log("kkkkkkkkk3333333", folder);
+    // }
+    // return {
+    //     isDirectory: true,
+    //     isSymbolicLink: false,
+    // };
 }
 
 // "A"
 
@@ -97,6 +97,10 @@ interface IEntryContext {
      * The name of the symlink file that has been processed.
      */
     readonly symlinkFileNames: string[];
+    /**
+     * The name of the symlink folder that has been processed.
+     */
+    readonly symlinkFolders: { folder: string, realpath: string }[];
     getFilePath(): string;
     /**
      * Whether the specified path is outside the target folder
@@ -110,6 +114,7 @@ class EntryContext implements IEntryContext {
         private _realTargetFolder: string,
         private symlinkAsFileOnWindows: boolean) {
         this._symlinkFileNames = [];
+        this._symlinkFolders = [];
     }
     private _decodeEntryFileName: string;
     public get decodeEntryFileName(): string {
@@ -128,19 +133,32 @@ class EntryContext implements IEntryContext {
     public get symlinkFileNames(): string[] {
         return this._symlinkFileNames;
     }
+    private _symlinkFolders: { folder: string, realpath: string }[];
+    public get symlinkFolders(): { folder: string, realpath: string }[] {
+        return this._symlinkFolders;
+    }
 
     public getFilePath(): string {
         return path.join(this.targetFolder, this.decodeEntryFileName);
     }
 
     public async isOutsideTargetFolder(tpath: string): Promise<boolean> {
-        if (this.symlinkFileNames.length === 0) {
+        if (this.symlinkFileNames.length === 0 &&
+            this.symlinkFolders.length === 0
+        ) {
             return false;
         }
         if (process.platform === "win32" &&
             this.symlinkAsFileOnWindows) {
             return false;
         }
+        for (const { folder, realpath } of this.symlinkFolders) {
+            if (tpath.includes(folder)) {
+                if (realpath.indexOf(this.realTargetFolder) !== 0) {
+                    return true;
+                }
+            }
+        }
         for (const fileName of this.symlinkFileNames) {
             if (tpath.includes(fileName)) {
                 const realFilePath = await exfs.realpath(tpath);
@@ -318,7 +336,13 @@ export class Unzip extends Cancelable {
     private async extractEntry(zfile: yauzl.ZipFile, entry: yauzl.Entry, entryContext: IEntryContext, token: CancellationToken): Promise<void> {
         const filePath = entryContext.getFilePath();
         const fileDir = path.dirname(filePath);
-        await exfs.ensureFolder(fileDir);
+        const folderStat = await exfs.ensureFolder(fileDir);
+        if (folderStat.isSymbolicLink) {
+            entryContext.symlinkFolders.push({
+                folder: fileDir,
+                realpath: folderStat.realpath!,
+            })
+        }
         const outside = await entryContext.isOutsideTargetFolder(fileDir);
         if (outside) {
             const error = new Error(`Refuse to write file outside "${entryContext.targetFolder}", file: "${filePath}"`);
 
@@ -1,19 +1,84 @@
 import * as zl from "../../dist";
+import * as fs from "../../dist/fs";
 import * as path from "path";
 import * as assert from "assert";
 
 describe("unzip", () => {
-    it("extract a zip file that attempt to write file outside ouput folder", async () => {
+    it("extract a zip file that attempt to write file outside output folder", async () => {
         try {
             await zl.extract(path.join(__dirname, "../unzipResources/arbitrary_file_write.zip"), path.join(__dirname, "../unzips/arbitrary_file_write"), {
                 overwrite: true,
                 symlinkAsFileOnWindows: false
             });
-            assert.fail("extract a zip file that attempt to write file outside ouput folder");
+            assert.fail("extract a zip file that attempt to write file outside output folder");
         } catch (error) {
             if (process.platform === "win32" &&
                 error.code === "EPERM") {
-                assert.ok(true, "code EPERM as expected");
+                console.warn("Please run this test with administator.");
+                assert.ok(true, "Please run this test with administator.");
+            } else if (error.name === "AFWRITE") {
+                assert.ok(true, "name AFWRITE as expected");
+            } else {
+                assert.fail(error);
+            }
+        }
+    });
+    it("extract a zip file that attempt to write file to symlink folder which is outside output folder", async () => {
+        try {
+            await fs.rimraf(path.join(__dirname, "../unzips/arbitrary_write/output"));
+            await fs.rimraf(path.join(__dirname, "../unzips/arbitrary_write/tmp"));
+            await fs.ensureFolder(path.join(__dirname, "../unzips/arbitrary_write/tmp"));
+            await zl.extract(path.join(__dirname, "../unzipResources/arbitrary_write/output1.zip"), path.join(__dirname, "../unzips/arbitrary_write/output"), {
+                overwrite: false,
+                symlinkAsFileOnWindows: false
+            });
+        } catch (error) {
+            if (process.platform === "win32" &&
+                error.code === "EPERM") {
+                console.warn("Please run this test with administator.");
+                assert.ok(true, "Please run this test with administator.");
+            } else if (error.name === "AFWRITE") {
+                assert.ok(true, "name AFWRITE as expected");
+            } else {
+                assert.fail(error);
+            }
+        }
+
+        try {
+            await zl.extract(path.join(__dirname, "../unzipResources/arbitrary_write/output2.zip"), path.join(__dirname, "../unzips/arbitrary_write/output"), {
+                overwrite: false,
+                symlinkAsFileOnWindows: false
+            });
+            if (process.platform === "win32") {
+                assert.ok(true, "Please run this test with administator.");
+            } else {
+                assert.fail("extract a zip file that attempt to write file to symlink folder which is outside output folder");
+            }
+        } catch (error) {
+            if (process.platform === "win32" &&
+                error.code === "EPERM") {
+                assert.ok(true, "Please run this test with administator.");
+            } else if (error.name === "AFWRITE") {
+                assert.ok(true, "name AFWRITE as expected");
+            } else {
+                assert.fail(error);
+            }
+        }
+
+        try {
+            await zl.extract(path.join(__dirname, "../unzipResources/arbitrary_write/output3.zip"), path.join(__dirname, "../unzips/arbitrary_write/output"), {
+                overwrite: false,
+                symlinkAsFileOnWindows: false
+            });
+            if (process.platform === "win32") {
+                assert.ok(true, "Please run this test with administator.");
+            } else {
+                assert.fail("extract a zip file that attempt to write file to symlink folder which is outside output folder");
+            }
+        } catch (error) {
+            if (process.platform === "win32" &&
+                error.code === "EPERM") {
+                assert.ok(true, "Please run this test with administator.");
             } else if (error.name === "AFWRITE") {
                 assert.ok(true, "name AFWRITE as expected");
             } else {