Create ALLOWLIST to prioritize over DENYLIST to account for when HOME dir is within a system dir via symlink (#9025) [ such as with Fedora Silverblue ]

Author: mmaietta

.changeset/fast-parrots-turn.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: allow home dir when it's symlinked from /var/home

packages/app-builder-lib/src/asar/asarUtil.ts

@@ -1,6 +1,6 @@
 import { createPackageFromStreams, AsarStreamType, AsarDirectory } from "@electron/asar"
 import { log } from "builder-util"
-import { Filter } from "builder-util/out/fs"
+import { exists, Filter } from "builder-util/out/fs"
 import * as fs from "fs-extra"
 import { readlink } from "fs-extra"
 import * as path from "path"
@@ -11,6 +11,43 @@ import { detectUnpackedDirs } from "./unpackDetector"
 import { Readable } from "stream"
 import * as os from "os"
 
+const DENYLIST = Promise.all(
+  [
+    "/usr",
+    "/lib",
+    "/bin",
+    "/sbin",
+    "/etc",
+
+    "/tmp",
+    "/var", // block whole /var by default. If $HOME is under /var, it's explicitly in ALLOWLIST
+
+    // macOS system directories
+    "/System",
+    "/Library",
+    "/private",
+
+    // Windows system directories
+    process.env.SystemRoot,
+    process.env.WINDIR,
+  ]
+    .filter((it): it is string => it != null)
+    .map(async it => ((await exists(it)) ? await resolvePath(it) : null))
+    .filter((it): it is Promise<string> => it != null)
+)
+
+const ALLOWLIST = Promise.all(
+  [
+    process.env.HOME, // always allow current user’s home
+    os.tmpdir(), // always allow temp directory
+  ]
+    .filter((it): it is string => it != null)
+    .map(async it => ((await exists(it)) ? await resolvePath(it) : null))
+    .filter((it): it is Promise<string> => it != null)
+)
+
+const resolvePath = (file: string) => fs.realpath(file).catch(() => path.resolve(file))
+
 /** @internal */
 export class AsarPackager {
   private readonly outFile: string
@@ -148,7 +185,7 @@ export class AsarPackager {
     }
 
     // verify that the file is not a direct link or symlinked to access/copy a system file
-    await this.protectSystemAndUnsafePaths(file)
+    await this.protectSystemAndUnsafePaths(file, await this.packager.info.getWorkspaceRoot())
 
     const config = {
       path: destination,
@@ -165,9 +202,6 @@ export class AsarPackager {
       }
     }
 
-    // guard against symlink pointing to outside workspace root
-    await this.protectSystemAndUnsafePaths(file, await this.packager.info.getWorkspaceRoot())
-
     // okay, it must be a symlink. evaluate link to be relative to source file in asar
     let link = await readlink(file)
     if (path.isAbsolute(link)) {
@@ -233,80 +267,41 @@ export class AsarPackager {
     }
   }
 
-  private async getProtectedPaths(): Promise<string[]> {
-    const systemPaths = [
-      // Generic *nix
-      "/usr",
-      "/lib",
-      "/bin",
-      "/sbin",
-      "/System",
-      "/Library",
-      "/private/etc",
-      "/private/var/db",
-      "/private/var/root",
-      "/private/var/log",
-      "/private/tmp",
-
-      // macOS legacy symlinks
-      "/etc",
-      "/var",
-      "/tmp",
-
-      // Windows
-      process.env.SystemRoot,
-      process.env.WINDIR,
-      // process.env.ProgramFiles,
-      // process.env["ProgramFiles(x86)"],
-      // process.env.ProgramData,
-      // process.env.CommonProgramFiles,
-      // process.env["CommonProgramFiles(x86)"],
-    ]
-      .filter(Boolean)
-      .map(p => path.resolve(p as string))
-
-    // Normalize to real paths to prevent symlink bypasses
-    const resolvedPaths: string[] = []
-    for (const p of systemPaths) {
-      try {
-        resolvedPaths.push(await fs.realpath(p))
-      } catch {
-        resolvedPaths.push(path.resolve(p))
+  private async checkAgainstRoots(target: string, allowRoots: string[]): Promise<boolean> {
+    const resolved = await resolvePath(target)
+
+    for (const root of allowRoots) {
+      const resolvedRoot = root
+      if (resolved === resolvedRoot || resolved.startsWith(resolvedRoot + path.sep)) {
+        return true
       }
     }
-
-    return resolvedPaths
+    return false
   }
 
-  private async protectSystemAndUnsafePaths(file: string, workspaceRoot?: string): Promise<boolean> {
-    const resolved = await fs.realpath(file).catch(() => path.resolve(file))
+  private async protectSystemAndUnsafePaths(file: string, workspaceRoot: string): Promise<boolean> {
+    const resolved = await resolvePath(file)
 
-    const scan = async () => {
-      if (workspaceRoot) {
-        const workspace = path.resolve(workspaceRoot)
+    const isUnsafe = async () => {
+      const workspace = await resolvePath(workspaceRoot)
 
-        if (!resolved.startsWith(workspace)) {
-          return true
-        }
-      }
-
-      // Allow temp & cache folders
-      const tmpdir = await fs.realpath(os.tmpdir())
-      if (resolved.startsWith(tmpdir)) {
+      if (resolved.startsWith(workspace)) {
         return false
       }
 
-      const blockedSystemPaths = await this.getProtectedPaths()
-      for (const sys of blockedSystemPaths) {
-        if (resolved.startsWith(sys)) {
-          return true
-        }
-      }
+      const denied = await this.checkAgainstRoots(file, await DENYLIST)
+      const allowed = await this.checkAgainstRoots(file, await ALLOWLIST)
 
+      if (allowed) {
+        return false // allowlist overrides everything
+      }
+      if (denied) {
+        return true // blocked unless explicitly allowed
+      }
       return false
     }
 
-    const unsafe = await scan()
+    const unsafe = await isUnsafe()
 
     if (unsafe) {
       log.error({ source: file, realPath: resolved }, `unable to copy, file is from outside the package to a system or unsafe path`)