add test for async unzipping a zip-slip attack file

Mostafa-Samir · Dec 30, 2021 · 3739f43 · 3739f43
1 parent ddadc01
commit 3739f43
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/tests/cleanup.js b/tests/cleanup.js
@@ -12,7 +12,9 @@ var file_list = [
 
 var dir_list = [
     "./tests/assets/hello-async-unzip",
-    "./tests/assets/hello-sync-unzip"
+    "./tests/assets/hello-sync-unzip",
+    "./tests/assets/zip-slip-async",
+    "./tests/assets/zip-slip-sync"
 ];
 
 async.each(file_list, function (file, callback) {

diff --git a/tests/unzip.async.test.js b/tests/unzip.async.test.js
@@ -46,6 +46,24 @@ describe("Unzipping asynchronously", function () {
         });
     });
 
+    it("should raise an error when an entry is outside extraction path", function (done) {
+        zipper.unzip("./tests/assets/zip-slip.zip", function(error, unzipped) {
+
+            expect(error).to.equal(null);
+
+            fs.mkdir("./tests/assets/zip-slip-async", function (err) {
+                if (err)
+                    throw err;
+
+                unzipped.save("./tests/assets/zip-slip-async", function (error) {
+                    expect(error).to.be.an("error");
+                    expect(error.message).to.equal("Entry is outside the extraction path");
+                    done();
+                });
+            });
+        });
+    });
+
     it("should check if unzipped files on disk contain correct data", function (done) {
 
         fs.readFile("./tests/assets/hello-async-unzip/hello/says-hello", 'utf8', function (err, data) {