Skip to content
Permalink
Browse files

skipEntryNameValidation: archives with malicious entries will throw a…

…n error
  • Loading branch information...
antelle committed Oct 28, 2017
1 parent 51fc736 commit 688eff984c3cfb318c3f25547f11c4bb85e68856
Showing with 21 additions and 4 deletions.
  1. +7 −2 README.md
  2. +0 −1 example.js
  3. +9 −0 node_stream_zip.js
  4. +1 −1 package.json
  5. +4 −0 release-notes.md
@@ -20,7 +20,6 @@ Features:

Open a zip file
```javascript
// Open a zip file
const StreamZip = require('node-stream-zip');
const zip = new StreamZip({
file: 'archive.zip',
@@ -111,7 +110,13 @@ zip.on('entry', entry => {
});
```

If you pass `storeEntries: true` to constructor, you will be able to access entries inside zip archive with:
# Options

You can pass these options to the constructor
- `storeEntries: true` - you will be able to work with entries inside zip archive, otherwise the only way to access them is `entry` event
- `skipEntryNameValidation: true` - by default, entry name is checked for malicious characters, like `../` or `c:\123`, pass this flag to disable validation errors

# Methods

- `zip.entries()` - get all entries description
- `zip.entry(name)` - get entry description by name
@@ -2,7 +2,6 @@ console.log('Loading zip...');
var StreamZip = require('./node_stream_zip.js');
var zip = new StreamZip({
file: './test/ok/normal.zip'
//file: 'd:/temp/node_src.zip'
});
zip.on('error', function(err) { console.error('ERROR: ' + err); });
zip.on('ready', function() {
@@ -336,6 +336,9 @@ var StreamZip = function(config) {
return;
}
entry.read(buffer, bufferPos);
if (!config.skipEntryNameValidation) {
entry.validateName();
}
if (entries)
entries[entry.name] = entry;
that.emit('entry', entry);
@@ -718,6 +721,12 @@ ZipEntry.prototype.read = function(data, offset) {
this.comment = this.comLen ? data.slice(offset, offset + this.comLen).toString() : null;
};

ZipEntry.prototype.validateName = function() {
if (/\\|^\w+:|^\/|(^|\/)\.\.(\/|$)/.test(this.name)) {
throw new Error('Malicious entry: ' + this.name);
}
};

ZipEntry.prototype.readExtra = function(data, offset) {
var signature, size, maxPos = offset + this.extraLen;
while (offset < maxPos) {
@@ -1,6 +1,6 @@
{
"name": "node-stream-zip",
"version": "1.3.8",
"version": "1.4.0",
"description": "node.js library for reading and extraction of ZIP archives",
"keywords": [
"zip",
@@ -1,5 +1,9 @@
Release notes
-------------
##### v1.4.0 (2017-10-28)
Archives with malicious entries will throw an error
`+` option to disable it: `skipEntryNameValidation`

##### v1.3.8 (2017-10-27)
Fix #20: throw errors

0 comments on commit 688eff9

Please sign in to comment.
You can’t perform that action at this time.