Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict file extraction to the target path #63

Merged
merged 1 commit into from Jan 17, 2019
Merged

Conversation

@Muelsy
Copy link
Contributor

@Muelsy Muelsy commented Jan 16, 2019

Currently decompress-zip will extract files outside of the scope of the specified target directory. This has significant security implications when decompressing files from untrusted users.

This pull request aims to fix this issue by ensuring that the destination path is not be outside set path. \

A new unit test has also been added to verify this functionality. The test archive has been taken from https://github.com/snyk/zip-slip-vulnerability/tree/master/archives

Ensures that file extraction stays within the defined target path.
Functionality is controlled by the boolean 'restrict' which defaults to true.
@sheerun
Copy link
Contributor

@sheerun sheerun commented Jan 17, 2019

Thank you very much for contributing, I'm releasing it right away

@sheerun sheerun merged commit f605885 into bower:master Jan 17, 2019
1 check passed
@sheerun
Copy link
Contributor

@sheerun sheerun commented Jan 17, 2019

Released as 0.3.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants