From c3b350d943108552e20654580005cd6f6c78ab05 Mon Sep 17 00:00:00 2001
From: Philip Okugbe <16838612+Philipinho@users.noreply.github.com>
Date: Mon, 1 Dec 2025 11:37:59 +0000
Subject: [PATCH] fix: zip extraction validation (#1753)

* fix: zip extraction validation

* fix
---
 .../src/integrations/import/utils/file.utils.ts | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/apps/server/src/integrations/import/utils/file.utils.ts b/apps/server/src/integrations/import/utils/file.utils.ts
index b3d39cda..0b27554b 100644
--- a/apps/server/src/integrations/import/utils/file.utils.ts
+++ b/apps/server/src/integrations/import/utils/file.utils.ts
@@ -103,6 +103,14 @@ function extractZipInternal(
         zipfile.on('entry', (entry) => {
           const name = entry.fileName.toString('utf8');
           const safe = name.replace(/^\/+/, '');
+
+          const validationError = yauzl.validateFileName(safe);
+          if (validationError) {
+            console.warn(`Skipping invalid entry (${validationError})`);
+            zipfile.readEntry();
+            return;
+          }
+
           if (safe.startsWith('__MACOSX/')) {
             zipfile.readEntry();
             return;
@@ -110,6 +118,15 @@ function extractZipInternal(
 
           const fullPath = path.join(target, safe);
 
+          const resolved = path.resolve(fullPath);
+          const targetResolved = path.resolve(target);
+
+          if (!resolved.startsWith(targetResolved + path.sep)) {
+            console.warn(`Skipping entry (path outside target): ${safe}`);
+            zipfile.readEntry();
+            return;
+          }
+
           // Handle directories
           if (/\/$/.test(name)) {
             try {