extract-zip - npm Package Compare versions

Comparing version 1.6.0 to 1.6.1

index.js

@@ -11,5 +11,16 @@ var fs = require('fs')
 
+  if (path.isAbsolute(opts.dir) === false) {
+    return cb(new Error('Target directory is expected to be absolute'))
+  }
+
   mkdirp(opts.dir, function (err) {
     if (err) return cb(err)
-    openZip()
+
+    fs.realpath(opts.dir, function (err, canonicalDir) {
+      if (err) return cb(err)
+
+      opts.dir = canonicalDir
+
+      openZip(opts)
+    })
   })
@@ -48,4 +59,5 @@
 
-        extractEntry(entry, function (err) {
-          // if any extraction fails then abort everything
+        var destDir = path.dirname(path.join(opts.dir, entry.fileName))
+
+        fs.realpath(destDir, function (err, canonicalDestDir) {
           if (err) {
@@ -56,4 +68,21 @@ cancelled = true
           }
-          debug('finished processing', entry.fileName)
-          zipfile.readEntry()
+
+          var relativeDestDir = path.relative(opts.dir, canonicalDestDir)
+
+          if (relativeDestDir.split(path.sep).indexOf('..') !== -1) {
+            cancelled = true
+            zipfile.close()
+            return cb(new Error('Out of bound path "' + canonicalDestDir + '" found while processing file ' + entry.fileName))
+          }
+
+          extractEntry(entry, function (err) {
+            // if any extraction fails then abort everything
+            if (err) {
+              cancelled = true
+              zipfile.close()
+              return cb(err)
+            }
+            debug('finished processing', entry.fileName)
+            zipfile.readEntry()
+          })
         })
@@ -83,2 +112,7 @@ })
 
+        // Failsafe, borrowed from jsZip
+        if (!isDir && entry.fileName.slice(-1) === '/') {
+          isDir = true
+        }
+
         // check for windows weird way of specifying a directory
@@ -85,0 +119,0 @@ // https://github.com/maxogden/extract-zip/issues/13#issuecomment-154494566

package.json

 {
   "name": "extract-zip",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "description": "unzip a zip file into a directory using 100% pure gluten-free organic javascript",
@@ -16,3 +16,3 @@ "main": "index.js",
     "type": "git",
-    "url": "git+ssh://git@github.com/maxogden/extract-zip.git"
+    "url": "git+ssh://git@github.com/erisds/extract-zip-fork.git"
   },
@@ -19,0 +19,0 @@ "keywords": [

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

8932

increased by12.88%

Lines of code

176

increased by16.56%

No dependency changes