AcadeNice/AcadeDoc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: zip extraction validation (#1753)

Browse source 
* fix: zip extraction validation

* fix
This commit is contained in:
Philip Okugbe 2025-12-01 11:37:59 +00:00 committed by GitHub
parent 8014ba3ab7
commit c3b350d943
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
apps/server/src/integrations/import/utils/file.utils.ts
View file

@ -103,6 +103,14 @@ function extractZipInternal(
zipfile.on('entry', (entry) => { zipfile.on('entry', (entry) => {
const name = entry.fileName.toString('utf8'); const name = entry.fileName.toString('utf8');
const safe = name.replace(/^\/+/, ''); const safe = name.replace(/^\/+/, '');
const validationError = yauzl.validateFileName(safe);
if (validationError) {
console.warn(`Skipping invalid entry (${validationError})`);
zipfile.readEntry();
return;
}
if (safe.startsWith('__MACOSX/')) { if (safe.startsWith('__MACOSX/')) {
zipfile.readEntry(); zipfile.readEntry();
return; return;
@ -110,6 +118,15 @@ function extractZipInternal(
const fullPath = path.join(target, safe); const fullPath = path.join(target, safe);
const resolved = path.resolve(fullPath);
const targetResolved = path.resolve(target);
if (!resolved.startsWith(targetResolved + path.sep)) {
console.warn(`Skipping entry (path outside target): ${safe}`);
zipfile.readEntry();
return;
}
// Handle directories // Handle directories
if (/\/$/.test(name)) { if (/\/$/.test(name)) {
try { try {