From ab67989719abb4dcc774d02de266151905b8d45a Mon Sep 17 00:00:00 2001
From: Michal Hruby <michal.mhr@gmail.com>
Date: Sat, 20 Apr 2024 18:02:41 +0100
Subject: [PATCH] Better protection against malicious zips

---
 lib/unzip-stream.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/unzip-stream.js b/lib/unzip-stream.js
index 5608184..cd55bb0 100644
--- a/lib/unzip-stream.js
+++ b/lib/unzip-stream.js
@@ -288,7 +288,7 @@ UnzipStream.prototype._prepareOutStream = function (vars, entry) {
 
     var isDirectory = vars.uncompressedSize === 0 && /[\/\\]$/.test(entry.path);
     // protect against malicious zip files which want to extract to parent dirs
-    entry.path = entry.path.replace(/^([/\\]*[.]+[/\\]+)*[/\\]*/, "");
+    entry.path = entry.path.replace(/(?<=^|[/\\]+)[.][.]+(?=[/\\]+|$)/g, ".");
     entry.type = isDirectory ? 'Directory' : 'File';
     entry.isDirectory = isDirectory;