Merge pull request #212 from aviadatsnyk/master

fix: prevent extracting archived files outside of target path.  Credit to Snyk Security Research Team for disclosure and fixing the issue.

Author: cthackers

adm-zip.js

@@ -354,6 +354,9 @@ module.exports = function(/*String*/input) {
 
 
             var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));
+            if(!target.startsWith(targetPath)) {
+                throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+            }
 
             if (item.isDirectory) {
                 target = pth.resolve(target, "..");
@@ -429,6 +432,10 @@ module.exports = function(/*String*/input) {
             _zip.entries.forEach(function(entry) {
                 entryName = entry.entryName.toString();
 
+                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                    throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+                }
+
                 if(isWin){
                     entryName = escapeFileName(entryName)
                 }
@@ -471,6 +478,10 @@ module.exports = function(/*String*/input) {
                     entryName = escapeFileName(entryName)
                 }
 
+                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                  throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+                }
+
                 if (entry.isDirectory) {
                     Utils.makeDir(pth.resolve(targetPath, entryName));
                     if(--i == 0)