skipEntryNameValidation: archives with malicious entries will throw a…

…n error
antelle · Oct 28, 2017 · 688eff9 · 688eff9
1 parent 51fc736
commit 688eff9
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -20,7 +20,6 @@ Features:
 
 Open a zip file
 ```javascript
-// Open a zip file
 const StreamZip = require('node-stream-zip');
 const zip = new StreamZip({
     file: 'archive.zip',
@@ -111,7 +110,13 @@ zip.on('entry', entry => {
 });
 ```
 
-If you pass `storeEntries: true` to constructor, you will be able to access entries inside zip archive with:
+# Options
+
+You can pass these options to the constructor
+- `storeEntries: true` - you will be able to work with entries inside zip archive, otherwise the only way to access them is `entry` event
+- `skipEntryNameValidation: true` - by default, entry name is checked for malicious characters, like `../` or `c:\123`, pass this flag to disable validation errors
+
+# Methods
 
 - `zip.entries()` - get all entries description
 - `zip.entry(name)` - get entry description by name

diff --git a/example.js b/example.js
@@ -2,7 +2,6 @@ console.log('Loading zip...');
 var StreamZip = require('./node_stream_zip.js');
 var zip = new StreamZip({
     file: './test/ok/normal.zip'
-    //file: 'd:/temp/node_src.zip'
 });
 zip.on('error', function(err) { console.error('ERROR: ' + err); });
 zip.on('ready', function() {

diff --git a/node_stream_zip.js b/node_stream_zip.js
@@ -336,6 +336,9 @@ var StreamZip = function(config) {
                     return;
                 }
                 entry.read(buffer, bufferPos);
+                if (!config.skipEntryNameValidation) {
+                    entry.validateName();
+                }
                 if (entries)
                     entries[entry.name] = entry;
                 that.emit('entry', entry);
@@ -718,6 +721,12 @@ ZipEntry.prototype.read = function(data, offset) {
     this.comment = this.comLen ? data.slice(offset, offset + this.comLen).toString() : null;
 };
 
+ZipEntry.prototype.validateName = function() {
+    if (/\\|^\w+:|^\/|(^|\/)\.\.(\/|$)/.test(this.name)) {
+        throw new Error('Malicious entry: ' + this.name);
+    }
+};
+
 ZipEntry.prototype.readExtra = function(data, offset) {
     var signature, size, maxPos = offset + this.extraLen;
     while (offset < maxPos) {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "node-stream-zip",
-  "version": "1.3.8",
+  "version": "1.4.0",
   "description": "node.js library for reading and extraction of ZIP archives",
   "keywords": [
     "zip",

diff --git a/release-notes.md b/release-notes.md
@@ -1,5 +1,9 @@
 Release notes
 -------------
+##### v1.4.0 (2017-10-28)
+Archives with malicious entries will throw an error  
+`+` option to disable it: `skipEntryNameValidation`
+
 ##### v1.3.8 (2017-10-27)
 Fix #20: throw errors