fix(npm): warn when tarball contains hardlink or symlink (#19474)

This is to help us get some visibility into whether we need to support this.
author: David Sherret <dsherret@users.noreply.github.com> 2023-06-13 09:48:13 -0400
committer: GitHub <noreply@github.com> 2023-06-13 09:48:13 -0400
commit: 5348778666d2d8d7ce138bbdf75ac5aa9f7ed428 (patch)
tree: 6e56bf6a3de07031c59a27eb4d7d6b0444833877
parent: 3191ffdaafccca53eddfe0672c8b4cb6d428caba (diff)
1 files changed, 20 insertions, 2 deletions
diff --git a/cli/npm/tarball.rs b/cli/npm/tarball.rs
index ce1ac3339..18a555671 100644
--- a/cli/npm/tarball.rs
+++ b/cli/npm/tarball.rs
@@ -107,8 +107,26 @@ fn extract_tarball(data: &[u8], output_folder: &Path) -> Result<(), AnyError> {
         )
       }
     }
-    if entry.header().entry_type() == EntryType::Regular {
-      entry.unpack(&absolute_path)?;
+
+    let entry_type = entry.header().entry_type();
+    match entry_type {
+      EntryType::Regular => {
+        entry.unpack(&absolute_path)?;
+      }
+      EntryType::Symlink | EntryType::Link => {
+        // At the moment, npm doesn't seem to support uploading hardlinks or
+        // symlinks to the npm registry. If ever adding symlink or hardlink
+        // support, we will need to validate that the hardlink and symlink
+        // target are within the package directory.
+        log::warn!(
+          "Ignoring npm tarball entry type {:?} for '{}'",
+          entry_type,
+          absolute_path.display()
+        )
+      }
+      _ => {
+        // ignore
+      }
     }
   }
   Ok(())
author	David Sherret <dsherret@users.noreply.github.com>	2023-06-13 09:48:13 -0400
committer	GitHub <noreply@github.com>	2023-06-13 09:48:13 -0400
commit	5348778666d2d8d7ce138bbdf75ac5aa9f7ed428 (patch)
tree	6e56bf6a3de07031c59a27eb4d7d6b0444833877
parent	3191ffdaafccca53eddfe0672c8b4cb6d428caba (diff)