From 38cb4a4a1615706a19f56ca1e2ac862af9743274 Mon Sep 17 00:00:00 2001
From: Danny Grander <danny@snyk.io>
Date: Tue, 24 Apr 2018 19:41:50 +0300
Subject: [PATCH] fix: resolve both target and entry path

---
 adm-zip.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/adm-zip.js b/adm-zip.js
index 634a96e..d9acf0c 100644
--- a/adm-zip.js
+++ b/adm-zip.js
@@ -354,7 +354,7 @@ module.exports = function(/*String*/input) {
 
 
             var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));
-            if(!target.startsWith(targetPath)) {
+            if(!pth.resolve(target).startsWith(pth.resolve(targetPath))) {
                 throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
             }
 
@@ -432,7 +432,7 @@ module.exports = function(/*String*/input) {
             _zip.entries.forEach(function(entry) {
                 entryName = entry.entryName.toString();
 
-                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                if(!pth.resolve(targetPath, entryName).startsWith(pth.resolve(targetPath))) {
                     throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
                 }
 
@@ -478,7 +478,7 @@ module.exports = function(/*String*/input) {
                     entryName = escapeFileName(entryName)
                 }
 
-                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                if(!pth.resolve(targetPath, entryName).startsWith(pth.resolve(targetPath))) {
                   throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
                 }