mirror of
https://github.com/oven-sh/bun
synced 2026-02-10 02:48:50 +00:00
d4a966f8ae
## Summary - Fixes a path traversal vulnerability via symlink when installing GitHub packages - Validates symlink targets before creation to ensure they stay within the extraction directory - Rejects absolute symlinks and relative paths that would escape the extraction directory ## Details When extracting GitHub tarballs, Bun did not validate symlink targets. A malicious tarball could: 1. Create a symlink pointing outside the extraction directory (e.g., `../../../../../../../tmp`) 2. Include a file entry through that symlink path (e.g., `symlink-to-tmp/pwned.txt`) When extracted, the symlink would be created first, then the file would be written through it, ending up outside the intended package directory (e.g., `/tmp/pwned.txt`). ### The Fix Added `isSymlinkTargetSafe()` function that: 1. Rejects absolute symlink targets (starting with `/`) 2. Normalizes the combined path (symlink location + target) and rejects if the result starts with `..` (would escape) ## Test plan - [x] Added regression test `test/cli/install/symlink-path-traversal.test.ts` - [x] Tests verify relative path traversal symlinks are blocked - [x] Tests verify absolute symlink targets are blocked - [x] Tests verify safe relative symlinks within the package still work - [x] Verified test fails with system bun (vulnerable) and passes with debug build (fixed) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com> Co-authored-by: Dylan Conway <dylan.conway567@gmail.com>