From 01ef1f67eb6af3d802c29c69e83ece2715268094 Mon Sep 17 00:00:00 2001
From: Elvis Wianda <elvis@benchsci.com>
Date: Wed, 26 Feb 2025 21:50:03 -0500
Subject: [PATCH] fix: Handle when readlink -f goes out of BIN-DIR

Noticed that on MacOS readlink -f goes out the sandbox in some cases
---
 lib/private/modify_mtree.awk | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/private/modify_mtree.awk b/lib/private/modify_mtree.awk
index c442e11ad..2787522a4 100644
--- a/lib/private/modify_mtree.awk
+++ b/lib/private/modify_mtree.awk
@@ -117,8 +117,9 @@ function make_relative_link(path1, path2, i, common, target, relative_path, back
 	    cmd = "readlink -f \"" path "\""
 	    cmd | getline resolved_path
 	    close(cmd)
-	    # If readlink -f fails use readlink for relative links
-	    if (resolved_path == "") {
+	    # 1. If readlink -f fails use readlink for relative links
+	    # 2. Make sure readlink -f doesn't escape BIN_DIR
+	    if (resolved_path == "" || !(resolved_path ~ bin_dir)) {
 		cmd = "readlink \"" path "\""
 		cmd | getline resolved_path
 		close(cmd)