From f687b634723c58ef6bace2e657828004e5d30253 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Fri, 31 Jan 2020 17:47:02 +0100
Subject: [PATCH] Fixes arbitrary file write on fetch (#7831)

---
 src/fetchers/tarball-fetcher.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/fetchers/tarball-fetcher.js b/src/fetchers/tarball-fetcher.js
index 8d1a452262..c06cc1101e 100644
--- a/src/fetchers/tarball-fetcher.js
+++ b/src/fetchers/tarball-fetcher.js
@@ -136,6 +136,11 @@ export default class TarballFetcher extends BaseFetcher {
       chown: false, // don't chown. just leave as it is
       map: header => {
         header.mtime = now;
+        if (header.linkname) {
+          const basePath = path.posix.dirname(path.join('/', header.name));
+          const jailPath = path.posix.join(basePath, header.linkname);
+          header.linkname = path.posix.relative('/', jailPath);
+        }
         return header;
       },
       fs: patchedFs,