CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

[sbouchet]

What does this PR do?

This PR fixes GHSA-34x7-hfp2-rc4v : Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal.
tar version is updated to 7.5.8

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-10039
https://issues.redhat.com/browse/CRW-10249

also
fixes https://github.com/che-incubator/che-code/security/dependabot/6
fixes https://github.com/che-incubator/che-code/security/dependabot/58
fixes https://github.com/che-incubator/che-code/security/dependabot/62
fixes https://github.com/che-incubator/che-code/security/dependabot/7
fixes https://github.com/che-incubator/che-code/security/dependabot/4
fixes https://github.com/che-incubator/che-code/security/dependabot/54
fixes https://github.com/che-incubator/che-code/security/dependabot/5
fixes https://github.com/che-incubator/che-code/security/dependabot/57
fixes https://github.com/che-incubator/che-code/security/dependabot/45
fixes https://github.com/che-incubator/che-code/security/dependabot/44

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

[github-actions]

Click here to review and test in web IDE:

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[RomanNikitenko]

The problem is fixed from the security point of view.

I just noticed that gulp-untar@0.0.7 requires tar@2.2.2,
but we override it to 7.5.7

2.2.2 => 7.5.7 = too big difference = some risk

At the same time gulp-untar@0.0.7 was published 8 years ago, so no chance to get it updated to fix the problem. So, only replacing gulp-untar by another dependency could be an alternative solution...

[sbouchet]

The problem is fixed from the security point of view.

I just noticed that gulp-untar@0.0.7 requires tar@2.2.2, but we override it to 7.5.7

2.2.2 => 7.5.7 = too big difference = some risk

At the same time gulp-untar@0.0.7 was published 8 years ago, so no chance to get it updated to fix the problem. So, only replacing gulp-untar by another dependency could be an alternative solution...

one possible solution might be to use https://www.npmjs.com/package/gulp-decompress

[RomanNikitenko]

@sbouchet
I haven’t looked into this in depth and I’m not sure how many changes are needed, so I’ll rely on your expertise.

[sbouchet]

npm audit says :

tar  <7.5.8
Severity: high
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
fix available via `npm audit fix --force`
Will install @vscode/sqlite3@5.1.12-vscode, which is a breaking change
node_modules/tar
  @vscode/sqlite3  5.1.2-vscode || 5.1.3-vscode - 5.1.11-vscode
  Depends on vulnerable versions of tar
  node_modules/@vscode/sqlite3

so i'll rework this PR to bump to at least 7.5.8
advisory GHSA-83g3-92jg-28cx
jira https://issues.redhat.com/browse/CRW-10249

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[sbouchet]

forgot to add rebase rules for source code. please wait for PR to be ready for review

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

[RomanNikitenko]

rebasing rule should be added for this change

[RomanNikitenko]

no rebasing rule for this change