@@ -32,19 +32,38 @@ implementation. (Note that most of these are disabled if
3232 is set, or the extraction is run as root.
3333- File and directory modes in the archive are ignored, unless
3434 the ` chmod: true ` option is set.
35-
36- ** However** , care must still be taken when dealing with data from
37- unknown sources, especially when extracting files, with this or
38- any library, no matter how hardened it may be.
35+ - A path-reservation system is used to ensure that even when
36+ multiple entries are being extracted in parallel, subsequent
37+ entries with the same filename will not interfere with one
38+ another (for example, exchanging a file with a symbolic link
39+ while it is being written to).
40+ - Unicode characters in path names are fully normalized, to
41+ prevent evading these protections with unicode equivalences.
42+
43+ It is frankly unlikely that any tar implementation in JavaScript
44+ is going to be as secure as this one, unless a similar amount of
45+ work is put into it, putting it to the test over many years of
46+ intensive use and scrutiny. You can vibe-code a tar extractor in
47+ an afternoon, but you'll regret it.
48+
49+ > [ !WARNING]
50+ >
51+ > ** However** , all that being said, _ care must still be taken_
52+ > when dealing with data from unknown sources, especially when
53+ > extracting files, with this or any library, no matter how
54+ > hardened it may be. It is _ your_ responsibility to use this
55+ > library safely.
3956
40571 . ** NEVER** extract tarball data into a folder that could be
4158 potentially controlled by an unknown actor. A clever attacker
4259 can swap out the target of an extracted file with a symbolic
4360 link to some location of their choosing, resulting in writing
4461 files outside the target folder. There is no reasonable way to
4562 harden against this category of attack, and security reports
46- about it will be closed. TOCTOU exposure is unavoidable when
47- creating files based on entries in an archive file.
63+ about it will be closed.
64+ [ TOCTOU] ( https://cwe.mitre.org/data/definitions/367.html )
65+ exposure is unavoidable when creating files based on entries
66+ in an archive file.
48672 . If you are unpacking tarballs that may come from an unknown
4968 source, it is ** highly recommended** that you use a filter
5069 function that rejects all hardlinks and symbolic links. Link
0 commit comments