check if entries are going to be outside extraction directory

Mostafa-Samir · Dec 30, 2021 · 6bb9b59 · 6bb9b59
1 parent 3739f43
commit 6bb9b59
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/libs/ZipExport.js b/libs/ZipExport.js
@@ -16,6 +16,7 @@ var ZippedFS = require('./ZippedFS.js');
 function extract_to(_path, jszip, callback) {
 
     var extraction_path = _path === null ? "./" : path.normalize(_path);
+    var absolute_extraction_path = path.resolve(extraction_path);
     if(extraction_path[extraction_path.length - 1] !== path.sep) {
         extraction_path += path.sep;
     }
@@ -40,6 +41,14 @@ function extract_to(_path, jszip, callback) {
 
             var entry = jszip.files[name];
 
+            var extracted_entry_path = path.resolve(
+                path.join(absolute_extraction_path, name)
+            );
+            if (!extracted_entry_path.startsWith(absolute_extraction_path)) {
+                callback(new Error("Entry is outside the extraction path"))
+                return;
+            }
+
             if (entry.dir)
                 dirs.push(name);
             else