Skip to content

Commit

Permalink
Merge pull request #212 from aviadatsnyk/master
Browse files Browse the repository at this point in the history
fix: prevent extracting archived files outside of target path.  Credit to Snyk Security Research Team for disclosure and fixing the issue.
  • Loading branch information
cthackers authored Apr 23, 2018
2 parents e116bc1 + 6f4dfeb commit 62f6400
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions adm-zip.js
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,9 @@ module.exports = function(/*String*/input) {


var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));
if(!target.startsWith(targetPath)) {
throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
}

if (item.isDirectory) {
target = pth.resolve(target, "..");
Expand Down Expand Up @@ -429,6 +432,10 @@ module.exports = function(/*String*/input) {
_zip.entries.forEach(function(entry) {
entryName = entry.entryName.toString();

if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
}

if(isWin){
entryName = escapeFileName(entryName)
}
Expand Down Expand Up @@ -471,6 +478,10 @@ module.exports = function(/*String*/input) {
entryName = escapeFileName(entryName)
}

if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
}

if (entry.isDirectory) {
Utils.makeDir(pth.resolve(targetPath, entryName));
if(--i == 0)
Expand Down

1 comment on commit 62f6400

@Shubham-9798
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adding adm-zip

Please # to comment.