sinvo/docmost
1
0
Fork 0
mirror of https://github.com/docmost/docmost.git synced 2026-05-07 06:23:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: zip extraction validation (#1753)

Browse Source 
* fix: zip extraction validation

* fix
This commit is contained in:
Philip Okugbe
2025-12-01 11:37:59 +00:00
committed by GitHub
parent 8014ba3ab7
commit c3b350d943
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/server/src/integrations/import/utils/file.utils.ts
+17
View File
@@ -103,6 +103,14 @@ function extractZipInternal(
zipfile.on('entry', (entry) => { zipfile.on('entry', (entry) => {
const name = entry.fileName.toString('utf8'); const name = entry.fileName.toString('utf8');
const safe = name.replace(/^\/+/, ''); const safe = name.replace(/^\/+/, '');
const validationError = yauzl.validateFileName(safe);
if (validationError) {
console.warn(`Skipping invalid entry (${validationError})`);
zipfile.readEntry();
return;
}
if (safe.startsWith('__MACOSX/')) { if (safe.startsWith('__MACOSX/')) {
zipfile.readEntry(); zipfile.readEntry();
return; return;
@@ -110,6 +118,15 @@ function extractZipInternal(
const fullPath = path.join(target, safe); const fullPath = path.join(target, safe);
const resolved = path.resolve(fullPath);
const targetResolved = path.resolve(target);
if (!resolved.startsWith(targetResolved + path.sep)) {
console.warn(`Skipping entry (path outside target): ${safe}`);
zipfile.readEntry();
return;
}
// Handle directories // Handle directories
if (/\/$/.test(name)) { if (/\/$/.test(name)) {
try { try {