Restrict file extraction to the target path

muelsy · muelsy · commit 9a908bd30ec9 · 2019-01-16T14:06:38.000+11:00
Ensures that file extraction stays within the defined target path.
Functionality is controlled by the boolean 'restrict' which defaults to true.
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ Returns an EventEmitter with two possible events - `error` on an error, and `ext
 - **follow** *Boolean* - If true, rather than create stored symlinks as symlinks make a shallow copy of the target instead (default `false`)
 - **filter** *Function* - A function that will be called once for each file in the archive. It takes one argument which is an object containing details of the file. Return true for any file that you want to extract, and false otherwise. (default `null`)
 - **strip** *Number* - Remove leading folders in the path structure. Equivalent to `--strip-components` for tar.
+- **restrict** *Boolean* - If true, will restrict files from being created outside `options.path`. Setting to `false` has significant security [implications](https://snyk.io/research/zip-slip-vulnerability) if you are extracting untrusted data. (default `true`)
 
 ```js
 var DecompressZip = require('decompress-zip');
diff --git a/lib/decompress-zip.js b/lib/decompress-zip.js
@@ -77,15 +77,26 @@ DecompressZip.prototype.extract = function (options) {
     var self = this;
 
     options = options || {};
-    options.path = options.path || '.';
+    options.path = options.path || process.cwd();
     options.filter = options.filter || null;
     options.follow = !!options.follow;
     options.strip = +options.strip || 0;
+    options.restrict = options.restrict !== false;
+
 
     this.getFiles()
     .then(function (files) {
         var copies = [];
-
+        if (options.restrict) {
+          files = files.map(function (file) {
+            var destination = path.join(options.path, file.path);
+            // The destination path must not be outside options.path
+            if (destination.indexOf(options.path) !== 0) {
+              throw new Error('You cannot extract a file outside of the target path');
+            }
+            return file;
+          });
+        }
         if (options.filter) {
             files = files.filter(options.filter);
         }
diff --git a/test/assets/restrict-pack/escape.zip b/test/assets/restrict-pack/escape.zip
diff --git a/test/test.js b/test/test.js
@@ -121,6 +121,20 @@ describe('Extract', function () {
 
             zip.extract({path: tmpDir.path()});
         });
+        it('should emit an error when a file attempts to escape the current working directory', function (done) {
+          var zip = new DecompressZip(assetsDir + 'restrict-pack/escape.zip');
+          zip.on('extract', function () {
+              assert(false, '"extract" event should not fire');
+              done();
+          });
+
+          zip.on('error', function (error) {
+              assert(true, '"error" event should fire');
+              done();
+          });
+
+          zip.extract({path: tmpDir.path(), strip: 3});
+        });
     });
 
     describe('directory creation', function () {
