Merge pull request #59 from aviadatsnyk/fix/zip-slip

fix: prevent extracting archived files outside of target path

lib/extract.js

@@ -17,8 +17,17 @@ function Extract (opts) {
 
   self.on('entry', function(entry) {
     if (entry.type == 'Directory') return;
+
+    // to avoid zip slip (writing outside of the destination), we resolve
+    // the target path, and make sure it's nested in the intended
+    // destination, or not extract it otherwise.
+    var extractPath = path.join(opts.path, entry.path);
+    if (extractPath.indexOf(opts.path) != 0) {
+      return;
+    }
+
     entry.pipe(Writer({
-      path: path.join(opts.path,entry.path)
+      path: extractPath
     }))
     .on('error',function(e) {
       self.emit('error',e);

test/uncompressed.js

@@ -46,4 +46,40 @@ test("extract uncompressed archive", function (t) {
       });
     }
   });
-});
+});
+
+test("do not extract zip slip archive", function (t) {
+  var archive = path.join(__dirname, '../testData/zip-slip/zip-slip.zip');
+
+  temp.mkdir('node-zipslip-', function (err, dirPath) {
+    if (err) {
+      throw err;
+    }
+    var unzipExtractor = unzip.Extract({ path: dirPath });
+    unzipExtractor.on('error', function(err) {
+      throw err;
+    });
+    unzipExtractor.on('close', testNoSlip);
+
+    fs.createReadStream(archive).pipe(unzipExtractor);
+
+    function testNoSlip() {
+      if (fs.hasOwnProperty('access')) {
+        var mode = fs.F_OK | (fs.constants && fs.constants.F_OK);
+        return fs.access('/tmp/evil.txt', mode, evilFileCallback);
+      }
+      // node 0.10
+      return fs.stat('/tmp/evil.txt', evilFileCallback);
+    }
+
+    function evilFileCallback(err) {
+      if (err) {
+        t.pass('no zip slip');
+      } else {
+        t.fail('evil file created');
+      }
+      return t.end();
+    }
+
+  });
+});