CVE-2021-32804

### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution `node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. ### Patches 3.2.2 || 4.4.14 || 5.0.6 || 6.1.1 NOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case. ### Workarounds Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. ```js const path = require('path') const tar = require('tar') tar.x({ file: 'archive.tgz', // either add this function... onentry: (entry) => { if (path.isAbsolute(entry.path)) { entry.path = sanitizeAbsolutePathSomehow(entry.path) entry.absolute = path.resolve(entry.path) } }, // or this one filter: (file, entry) => { if (path.isAbsolute(entry.path)) { return false } else { return true } } }) ``` Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.