fix: sanitize paths on extract

semrel-extra · Dec 5, 2023 · 67ecb61 · 67ecb61
1 parent 2774783
commit 67ecb61
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/main/js/util.js b/src/main/js/util.js
@@ -66,13 +66,15 @@ export const getCommonPath = files => {
   return p.slice(0, p.lastIndexOf('/') + 1)
 }
 
+export const safePath = v => path.resolve('/', v).slice(1)
+
 // https://stackoverflow.com/questions/19978452/how-to-extract-single-file-from-tar-gz-archive-using-node-js
 export const unzip = (stream, {pick, omit, cwd = process.cwd(), strip = 0} = {}) => new Promise((resolve, reject) => {
   const extract = tar.extract()
   const results = []
 
   extract.on('entry', ({name, type}, stream, cb)=>  {
-    const _name = strip ? name.split('/').slice(strip).join('/') : name
+    const _name = safePath(strip ? name.split('/').slice(strip).join('/') : name)
     const fp = path.join(cwd, _name)
 
     let data = ''