Merge pull request #63 from Muelsy/restrict

Restrict file extraction to the target path
bower · Jan 17, 2019 · f605885 · f605885
2 parents 26807e6 + 9a908bd
commit f605885
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ Returns an EventEmitter with two possible events - `error` on an error, and `ext
 - **follow** *Boolean* - If true, rather than create stored symlinks as symlinks make a shallow copy of the target instead (default `false`)
 - **filter** *Function* - A function that will be called once for each file in the archive. It takes one argument which is an object containing details of the file. Return true for any file that you want to extract, and false otherwise. (default `null`)
 - **strip** *Number* - Remove leading folders in the path structure. Equivalent to `--strip-components` for tar.
+- **restrict** *Boolean* - If true, will restrict files from being created outside `options.path`. Setting to `false` has significant security [implications](https://snyk.io/research/zip-slip-vulnerability) if you are extracting untrusted data. (default `true`)
 
 ```js
 var DecompressZip = require('decompress-zip');

diff --git a/lib/decompress-zip.js b/lib/decompress-zip.js
@@ -77,15 +77,26 @@ DecompressZip.prototype.extract = function (options) {
     var self = this;
 
     options = options || {};
-    options.path = options.path || '.';
+    options.path = options.path || process.cwd();
     options.filter = options.filter || null;
     options.follow = !!options.follow;
     options.strip = +options.strip || 0;
+    options.restrict = options.restrict !== false;
+
 
     this.getFiles()
     .then(function (files) {
         var copies = [];
-
+        if (options.restrict) {
+          files = files.map(function (file) {
+            var destination = path.join(options.path, file.path);
+            // The destination path must not be outside options.path
+            if (destination.indexOf(options.path) !== 0) {
+              throw new Error('You cannot extract a file outside of the target path');
+            }
+            return file;
+          });
+        }
         if (options.filter) {
             files = files.filter(options.filter);
         }

diff --git a/test/assets/restrict-pack/escape.zip b/test/assets/restrict-pack/escape.zip
diff --git a/test/test.js b/test/test.js
@@ -121,6 +121,20 @@ describe('Extract', function () {
 
             zip.extract({path: tmpDir.path()});
         });
+        it('should emit an error when a file attempts to escape the current working directory', function (done) {
+          var zip = new DecompressZip(assetsDir + 'restrict-pack/escape.zip');
+          zip.on('extract', function () {
+              assert(false, '"extract" event should not fire');
+              done();
+          });
+
+          zip.on('error', function (error) {
+              assert(true, '"error" event should fire');
+              done();
+          });
+
+          zip.extract({path: tmpDir.path(), strip: 3});
+        });
     });
 
     describe('directory creation', function () {