fix(security): harden file installs and race-path tests

2026-03-02 19:29:17 +00:00
parent e1bc5cad25
commit dbbd41a2ed
5 changed files with 199 additions and 137 deletions
--- a/src/test-utils/symlink-rebind-race.ts
+++ b/src/test-utils/symlink-rebind-race.ts
@@ -1,6 +1,17 @@
 import fs from "node:fs/promises";
+import path from "node:path";
 import { vi } from "vitest";

+export async function createRebindableDirectoryAlias(params: {
+  aliasPath: string;
+  targetPath: string;
+}): Promise<void> {
+  const aliasPath = path.resolve(params.aliasPath);
+  const targetPath = path.resolve(params.targetPath);
+  await fs.rm(aliasPath, { recursive: true, force: true });
+  await fs.symlink(targetPath, aliasPath, process.platform === "win32" ? "junction" : undefined);
+}
+
 export async function withRealpathSymlinkRebindRace<T>(params: {
  shouldFlip: (realpathInput: string) => boolean;
  symlinkPath: string;
@@ -17,13 +28,17 @@ export async function withRealpathSymlinkRebindRace<T>(params: {
      if (!flipped && params.shouldFlip(filePath)) {
        flipped = true;
        if (params.timing !== "after-realpath") {
-          await fs.rm(params.symlinkPath, { recursive: true, force: true });
-          await fs.symlink(params.symlinkTarget, params.symlinkPath);
+          await createRebindableDirectoryAlias({
+            aliasPath: params.symlinkPath,
+            targetPath: params.symlinkTarget,
+          });
          return await realRealpath(...args);
        }
        const resolved = await realRealpath(...args);
-        await fs.rm(params.symlinkPath, { recursive: true, force: true });
-        await fs.symlink(params.symlinkTarget, params.symlinkPath);
+        await createRebindableDirectoryAlias({
+          aliasPath: params.symlinkPath,
+          targetPath: params.symlinkTarget,
+        });
        return resolved;
      }
      return await realRealpath(...args);