Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Do not extract symlinks. #140

Open
fisiognomico opened this issue Nov 10, 2023 · 0 comments
Open

[Feature Request] Do not extract symlinks. #140

fisiognomico opened this issue Nov 10, 2023 · 0 comments

Comments

@fisiognomico
Copy link

Hello everyone!
I have noticed that extract-zip correctly checks for relative and absolute paths in a zip target filename to avoid an arbitrary file read and write like zip-slip.

Unfortunately there are some scenarios in which an attacker can obtain a similar result using a symlink contained in a zip archive, for example if the web server renders the original contents of the archive.

To avoid the disruption of what might be an expected functionality, it should be feasible to simply add a flag to state if the user wants to have symlinks extracted or not, like

--- a/index.js
+++ b/index.js
@@ -124,7 +124,9 @@ class Extractor {
     debug('opening read stream', dest)
     const readStream = await promisify(this.zipfile.openReadStream.bind(this.zipfile))(entry)

-    if (symlink) {
+    if (symlink && this.opts.no_symlink) {
+      throw new Error(`Unallowed to decompress symlink: ${entry.filename}`)
+    } else if (symlink) {

The only issue I see is that it would require to change how user options are parsed, as at the moment only one argument is expected.
Would you be interested in such a feature?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fisiognomico