Better protection against malicious zips

mhr3 · Apr 20, 2024 · ab67989 · ab67989
1 parent 4a4be03
commit ab67989
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/unzip-stream.js b/lib/unzip-stream.js
@@ -288,7 +288,7 @@ UnzipStream.prototype._prepareOutStream = function (vars, entry) {
 
     var isDirectory = vars.uncompressedSize === 0 && /[\/\\]$/.test(entry.path);
     // protect against malicious zip files which want to extract to parent dirs
-    entry.path = entry.path.replace(/^([/\\]*[.]+[/\\]+)*[/\\]*/, "");
+    entry.path = entry.path.replace(/(?<=^|[/\\]+)[.][.]+(?=[/\\]+|$)/g, ".");
     entry.type = isDirectory ? 'Directory' : 'File';
     entry.isDirectory = isDirectory;