Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
fix: prevent extracting archived files outside of target path #212
Why this PR?
This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
A sample malicious zip file named
var AdmZip = require('adm-zip'); var zip = new AdmZip("./zip-slip.zip"); zip.extractAllTo("/tmp/safe");
There are various possible ways to avoid this issue, some include checking for