zip-local - npm Package Compare versions

Comparing version 0.3.4 to 0.3.5

tests/assets/zip-slip.zip

CHANGELOG.md

		@@ -0,1 +1,7 @@
		# v0.3.5
		Released 30/12/2021
		* Added checks for out of extraction directory files to prevent zip-slip attacks
		* Updated deprecated usage of `Buffer`
		* Updated dependencies versions to remove vulnerabilities reported by `npm audit`

		# v0.3.4
		@@ -2,0 +8,0 @@ Released 6/1/2016

libs/ZipExport.js

		@@ -19,2 +19,3 @@ var fs = require('graceful-fs');
		var extraction_path = _path === null ? "./" : path.normalize(_path);
		var absolute_extraction_path = path.resolve(extraction_path);
		if(extraction_path[extraction_path.length - 1] !== path.sep) {
		@@ -44,2 +45,10 @@ extraction_path += path.sep;

		var extracted_entry_path = path.resolve(
		path.join(absolute_extraction_path, name)
		);
		if (!extracted_entry_path.startsWith(absolute_extraction_path)) {
		callback(new Error("Entry is outside the extraction path"))
		return;
		}

		if (entry.dir)
		@@ -129,2 +138,3 @@ dirs.push(name);
		var extraction_path = _path === null ? "./" : path.normalize(_path);
		var absolute_extraction_path = path.resolve(extraction_path);
		if(extraction_path[extraction_path.length - 1] !== path.sep) {
		@@ -148,2 +158,8 @@ extraction_path += path.sep;

		var extracted_entry_path = path.resolve(
		path.join(absolute_extraction_path, name)
		);
		if (!extracted_entry_path.startsWith(absolute_extraction_path))
		throw new Error("Entry is outside the extraction path")

		if (entry.dir)
		@@ -252,3 +268,3 @@ dirs.push(name);

		return new Buffer(buff);
		return new Buffer.from(buff);
		}
		@@ -255,0 +271,0 @@ else {

package.json

		{
		"name": "zip-local",
		"version": "0.3.4",
		"version": "0.3.5",
		"description": "very simple zipping/uzipping of local files and directories in node.js",
		@@ -39,3 +39,3 @@ "main": "main.js",
		"graceful-fs": "^4.1.3",
		"jszip": "^2.5.0",
		"jszip": "^2.6.1",
		"q": "^1.4.1"
		@@ -45,5 +45,5 @@ },
		"chai": "^3.2.0",
		"mocha": "^2.3.0",
		"mocha": "^9.1.3",
		"rimraf": "^2.4.3"
		}
		}

tests/cleanup.js

		@@ -15,3 +15,5 @@ var fs = require('fs');
		"./tests/assets/hello-async-unzip",
		"./tests/assets/hello-sync-unzip"
		"./tests/assets/hello-sync-unzip",
		"./tests/assets/zip-slip-async",
		"./tests/assets/zip-slip-sync"
		];
		@@ -18,0 +20,0 @@

tests/unzip.async.test.js

		@@ -49,2 +49,20 @@ var fs = require('fs');

		it("should raise an error when an entry is outside extraction path", function (done) {
		zipper.unzip("./tests/assets/zip-slip.zip", function(error, unzipped) {

		expect(error).to.equal(null);

		fs.mkdir("./tests/assets/zip-slip-async", function (err) {
		if (err)
		throw err;

		unzipped.save("./tests/assets/zip-slip-async", function (error) {
		expect(error).to.be.an("error");
		expect(error.message).to.equal("Entry is outside the extraction path");
		done();
		});
		});
		});
		});

		it("should check if unzipped files on disk contain correct data", function (done) {
		@@ -51,0 +69,0 @@

tests/unzip.sync.test.js

		@@ -30,2 +30,10 @@ var fs = require('fs');

		it("should raise an error when an entry is outside extraction path", function () {
		fs.mkdirSync("./tests/assets/zip-slip-sync");
		expect(function () {
		zipper.sync.unzip("./tests/assets/zip-slip.zip").save("./tests/assets/zip-slip-sync");
		}
		).to.throw("Entry is outside the extraction path")
		});

		it("checks if unzipped files on disk contain correct data", function (done) {
		@@ -32,0 +40,0 @@

.npmignore

New alerts