fix(asar): check ResolvedFileSet src when verifying symlinks to be within project directory (#8654)

mmaietta · web-flow · commit 9e11358fc282 · 2024-11-01T10:45:02.000-07:00
diff --git a/.changeset/smooth-camels-decide.md b/.changeset/smooth-camels-decide.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: check ResolvedFileSet src when verifying symlinks to be within project directory
diff --git a/packages/app-builder-lib/src/asar/asarUtil.ts b/packages/app-builder-lib/src/asar/asarUtil.ts
@@ -19,7 +19,6 @@ export class AsarPackager {
 
   constructor(
     private readonly config: {
-      appDir: string
       defaultDestination: string
       resourcePath: string
       options: AsarOptions
@@ -86,7 +85,14 @@ export class AsarPackager {
         return
       }
     }
-    const writeFileOrSymlink = async (transformedData: string | Buffer | undefined, source: string, destination: string, stat: fs.Stats) => {
+    const writeFileOrSymlink = async (options: { transformedData: string | Buffer | undefined; file: string; destination: string; stat: fs.Stats; fileSet: ResolvedFileSet }) => {
+      const {
+        transformedData,
+        file: source,
+        destination,
+        stat,
+        fileSet: { src: sourceDir },
+      } = options
       copiedFiles.add(destination)
 
       // If transformed data, skip symlink logic
@@ -100,8 +106,7 @@ export class AsarPackager {
         return this.copyFileOrData(undefined, source, destination, stat)
       }
 
-      const realPathRelative = path.relative(this.config.appDir, realPathFile)
-      const symlinkTarget = path.resolve(this.rootForAppFilesWithoutAsar, realPathRelative)
+      const realPathRelative = path.relative(sourceDir, realPathFile)
       const isOutsidePackage = realPathRelative.startsWith("..")
       if (isOutsidePackage) {
         log.error({ source: log.filePath(source), realPathFile: log.filePath(realPathFile) }, `unable to copy, file is symlinked outside the package`)
@@ -110,6 +115,7 @@ export class AsarPackager {
         )
       }
 
+      const symlinkTarget = path.resolve(this.rootForAppFilesWithoutAsar, realPathRelative)
       await this.copyFileOrData(undefined, source, symlinkTarget, stat)
       const target = path.relative(path.dirname(destination), symlinkTarget)
       fsNode.symlinkSync(target, destination)
@@ -130,7 +136,7 @@ export class AsarPackager {
         const dest = path.resolve(this.rootForAppFilesWithoutAsar, relative)
 
         matchUnpacker(file, dest, metadata)
-        taskManager.addTask(writeFileOrSymlink(transformedData, file, dest, metadata))
+        taskManager.addTask(writeFileOrSymlink({ transformedData, file, destination: dest, stat: metadata, fileSet }))
 
         if (taskManager.tasks.length > MAX_FILE_REQUESTS) {
           await taskManager.awaitTasks()
diff --git a/packages/app-builder-lib/src/platformPackager.ts b/packages/app-builder-lib/src/platformPackager.ts
@@ -505,7 +505,6 @@ export abstract class PlatformPackager<DC extends PlatformSpecificBuildOptions>
           }
 
           await new AsarPackager({
-            appDir,
             defaultDestination,
             resourcePath,
             options: asarOptions,

Original file line number	Diff line number	Diff line change
`@@ -505,7 +505,6 @@ export abstract class PlatformPackager<DC extends PlatformSpecificBuildOptions>`
`505`	`505`	`}`
`506`	`506`
`507`	`507`	`await new AsarPackager({`
`508`		`- appDir,`
`509`	`508`	`defaultDestination,`
`510`	`509`	`resourcePath,`
`511`	`510`	`options: asarOptions,`