Google ZX Symlink Logic Error Leading to Unintended Deletion of External Node Modules

A vulnerability in Google ZX versions prior to the release that includes the fix for this issue allows for unintended deletion of external node_modules directories when the CLI is invoked with the --prefer-local option. This occurs due to a logic error in the cleanup process, where the function mistakenly returns the target path of a symlink instead of the alias, leading to the removal of the actual target directory. The issue has been confirmed to reproduce consistently on Node.js v18 and v20 on Linux.

Impact

Exploitation of this vulnerability results in the unintentional deletion of an external node_modules directory, which can disrupt builds, continuous integration processes, or developer projects.

Reproduction

To reproduce this vulnerability, first prepare a project with a node_modules directory containing a file (e.g., proof.txt) to confirm its presence. Then, from a clean working directory, invoke Google ZX version 8.8.3 with the --prefer-local option pointing to the victim project. After running the command, check the victim project's node_modules directory. The expected outcome is that the directory is still present, but it will have been deleted.

Remediation

Users can update to the latest version of Google ZX, which includes the necessary fix. Instructions for updating are available in the project's GitHub repository.