From 67ecb61e960ae1cd83966d1a93ee1c4d99d70d27 Mon Sep 17 00:00:00 2001 From: Anton Golub Date: Tue, 5 Dec 2023 18:57:49 +0300 Subject: [PATCH] fix: sanitize paths on extract --- src/main/js/util.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/js/util.js b/src/main/js/util.js index f0379ba..d03c4bf 100644 --- a/src/main/js/util.js +++ b/src/main/js/util.js @@ -66,13 +66,15 @@ export const getCommonPath = files => { return p.slice(0, p.lastIndexOf('/') + 1) } +export const safePath = v => path.resolve('/', v).slice(1) + // https://stackoverflow.com/questions/19978452/how-to-extract-single-file-from-tar-gz-archive-using-node-js export const unzip = (stream, {pick, omit, cwd = process.cwd(), strip = 0} = {}) => new Promise((resolve, reject) => { const extract = tar.extract() const results = [] extract.on('entry', ({name, type}, stream, cb)=> { - const _name = strip ? name.split('/').slice(strip).join('/') : name + const _name = safePath(strip ? name.split('/').slice(strip).join('/') : name) const fp = path.join(cwd, _name) let data = ''