Restrict file extraction to the target path #63
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ensures that file extraction stays within the defined target path. Functionality is controlled by the boolean 'restrict' which defaults to true.
|
Thank you very much for contributing, I'm releasing it right away |
|
Released as 0.3.2 |
This was referenced Mar 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently decompress-zip will extract files outside of the scope of the specified target directory. This has significant security implications when decompressing files from untrusted users.
This pull request aims to fix this issue by ensuring that the destination path is not be outside set path. \
A new unit test has also been added to verify this functionality. The test archive has been taken from https://github.com/snyk/zip-slip-vulnerability/tree/master/archives