mirror of
https://github.com/oven-sh/bun
synced 2026-02-18 06:41:50 +00:00
## Summary - Fix path traversal vulnerability in tarball directory extraction on POSIX systems where `mkdiratZ` used the un-normalized `pathname` (raw from tarball) instead of the normalized `path` variable, allowing `../` components to escape the extraction root via kernel path resolution - The Windows directory creation, symlink creation, and file creation code paths already correctly used the normalized path — only the two POSIX `mkdiratZ` calls were affected (lines 463 and 469) - `bun install` is not affected because npm mode skips directory entries; affected callers include `bun create`, GitHub tarball extraction, and `compile_target` ## Test plan - [x] Added regression test that crafts a tarball with `safe_dir/../../escaped_dir/` directory entry and verifies it cannot create directories outside the extraction root - [x] Verified test **fails** with system bun (vulnerable) and **passes** with debug build (fixed) - [x] Full `archive.test.ts` suite passes (99/99 tests) - [x] `symlink-path-traversal.test.ts` continues to pass (3/3 tests) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com>