Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict file extraction to the target path #63

Merged
merged 1 commit into from Jan 17, 2019
+28 −2
Merged

Restrict file extraction to the target path #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Expand Up @@ -16,6 +16,7 @@ Returns an EventEmitter with two possible events - `error` on an error, and `ext
- **follow** *Boolean* - If true, rather than create stored symlinks as symlinks make a shallow copy of the target instead (default `false`)
- **filter** *Function* - A function that will be called once for each file in the archive. It takes one argument which is an object containing details of the file. Return true for any file that you want to extract, and false otherwise. (default `null`)
- **strip** *Number* - Remove leading folders in the path structure. Equivalent to `--strip-components` for tar.
- **restrict** *Boolean* - If true, will restrict files from being created outside `options.path`. Setting to `false` has significant security [implications](https://snyk.io/research/zip-slip-vulnerability) if you are extracting untrusted data. (default `true`)

```js
var DecompressZip = require('decompress-zip');
Expand Down
15 changes: 13 additions & 2 deletions lib/decompress-zip.js
View file
Open in desktop
Expand Up @@ -77,15 +77,26 @@ DecompressZip.prototype.extract = function (options) {
var self = this;

options = options || {};
options.path = options.path || '.';
options.path = options.path || process.cwd();
options.filter = options.filter || null;
options.follow = !!options.follow;
options.strip = +options.strip || 0;
options.restrict = options.restrict !== false;


this.getFiles()
.then(function (files) {
var copies = [];

if (options.restrict) {
files = files.map(function (file) {
var destination = path.join(options.path, file.path);
// The destination path must not be outside options.path
if (destination.indexOf(options.path) !== 0) {
throw new Error('You cannot extract a file outside of the target path');
}
return file;
});
}
if (options.filter) {
files = files.filter(options.filter);
}
Expand Down
Binary file added test/assets/restrict-pack/escape.zip
View file
Open in desktop
Binary file not shown.
14 changes: 14 additions & 0 deletions test/test.js
View file
Open in desktop
Expand Up @@ -121,6 +121,20 @@ describe('Extract', function () {

zip.extract({path: tmpDir.path()});
});
it('should emit an error when a file attempts to escape the current working directory', function (done) {
var zip = new DecompressZip(assetsDir + 'restrict-pack/escape.zip');
zip.on('extract', function () {
assert(false, '"extract" event should not fire');
done();
});

zip.on('error', function (error) {
assert(true, '"error" event should fire');
done();
});

zip.extract({path: tmpDir.path(), strip: 3});
});
});

describe('directory creation', function () {
Expand Down