fix: prevent extracting archived files outside of target path

2026-04-29 20:35:51 +08:00 · 2018-04-22 11:22:24 +03:00
parent e116bc18df
commit 6f4dfeb9a2
1 changed files with 11 additions and 0 deletions
--- a/adm-zip.js
+++ b/adm-zip.js
@@ -354,6 +354,9 @@ module.exports = function(/*String*/input) {


            var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));
+            if(!target.startsWith(targetPath)) {
+                throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+            }

            if (item.isDirectory) {
                target = pth.resolve(target, "..");
@@ -429,6 +432,10 @@ module.exports = function(/*String*/input) {
            _zip.entries.forEach(function(entry) {
                entryName = entry.entryName.toString();

+                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                    throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+                }
+
                if(isWin){
                    entryName = escapeFileName(entryName)
                }
@@ -471,6 +478,10 @@ module.exports = function(/*String*/input) {
                    entryName = escapeFileName(entryName)
                }

+                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                  throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+                }
+
                if (entry.isDirectory) {
                    Utils.makeDir(pth.resolve(targetPath, entryName));
                    if(--i == 0)