From 3739f43a2050c89ec4964935081f2ac1a84e6e47 Mon Sep 17 00:00:00 2001
From: Mostafa Samir <mostafa.3210@gmail.com>
Date: Thu, 30 Dec 2021 17:45:04 +0200
Subject: [PATCH] add test for async unzipping a zip-slip attack file

---
 tests/cleanup.js          |  4 +++-
 tests/unzip.async.test.js | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/tests/cleanup.js b/tests/cleanup.js
index f4291c9..6d192b9 100644
--- a/tests/cleanup.js
+++ b/tests/cleanup.js
@@ -12,7 +12,9 @@ var file_list = [
 
 var dir_list = [
     "./tests/assets/hello-async-unzip",
-    "./tests/assets/hello-sync-unzip"
+    "./tests/assets/hello-sync-unzip",
+    "./tests/assets/zip-slip-async",
+    "./tests/assets/zip-slip-sync"
 ];
 
 async.each(file_list, function (file, callback) {
diff --git a/tests/unzip.async.test.js b/tests/unzip.async.test.js
index 1dc8ca5..fdb48d6 100644
--- a/tests/unzip.async.test.js
+++ b/tests/unzip.async.test.js
@@ -46,6 +46,24 @@ describe("Unzipping asynchronously", function () {
         });
     });
 
+    it("should raise an error when an entry is outside extraction path", function (done) {
+        zipper.unzip("./tests/assets/zip-slip.zip", function(error, unzipped) {
+
+            expect(error).to.equal(null);
+
+            fs.mkdir("./tests/assets/zip-slip-async", function (err) {
+                if (err)
+                    throw err;
+
+                unzipped.save("./tests/assets/zip-slip-async", function (error) {
+                    expect(error).to.be.an("error");
+                    expect(error.message).to.equal("Entry is outside the extraction path");
+                    done();
+                });
+            });
+        });
+    });
+
     it("should check if unzipped files on disk contain correct data", function (done) {
 
         fs.readFile("./tests/assets/hello-async-unzip/hello/says-hello", 'utf8', function (err, data) {