add testing for complex path sanitizer in ZipSlip

2026-04-30 11:15:13 +02:00 · 2020-05-19 10:17:15 +02:00
parent 0d762066f5
commit 5a5192b890
1 changed files with 14 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js
@@ -15,3 +15,17 @@ fs.createReadStream('archive.zip')

    fs.createWriteStream(path.join(cwd, path.join('/', fileName)));
  });
+
+fs.createReadStream('archive.zip')
+  .pipe(unzip.Parse())
+  .on('entry', entry => {
+    const fileName = path.normalize(entry.path);
+
+    if (path.isAbsolute(fileName)) {
+      return;
+    }
+
+    if (!fileName.startsWith(".")) {
+      entry.pipe(fs.createWriteStream(fileName)); // OK.
+    }
+  });