asar not verifying filenames before passing them to minimatch

While working on tracking down [a bug with sharp](https://github.com/lovell/sharp/issues/3250#issuecomment-1152785631), we found that asar is not verifying file names before passing them to its minimatch dependency.

[electron/asar@94cb8bd/lib/asar.js#L123](https://github.com/electron/asar/blob/94cb8bdfea6257d7bc67f72ed80a790c2b5dae3a/lib/asar.js#L123)

[isaacs/minimatch@6410ef3/minimatch.js#L128](https://github.com/isaacs/minimatch/blob/6410ef32f59e4842121ca13eefacdf0b3da8533c/minimatch.js#L128)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

asar not verifying filenames before passing them to minimatch #238

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

asar not verifying filenames before passing them to minimatch #238

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions