@tryghost/zip 1.1.35 → 1.1.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/LICENSE +1 -1
  2. package/README.md +1 -1
  3. package/lib/extract.js +26 -0
  4. package/package.json +4 -3
package/LICENSE CHANGED
@@ -1,6 +1,6 @@
1
1
  MIT License
2
2
 
3
- Copyright (c) 2013-2022 Ghost Foundation
3
+ Copyright (c) 2013-2023 Ghost Foundation
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
6
6
  of this software and associated documentation files (the "Software"), to deal
package/README.md CHANGED
@@ -47,4 +47,4 @@ Follow the instructions for the top-level repo.
47
47
 
48
48
  # Copyright & License
49
49
 
50
- Copyright (c) 2013-2022 Ghost Foundation - Released under the [MIT license](LICENSE).
50
+ Copyright (c) 2013-2023 Ghost Foundation - Released under the [MIT license](LICENSE).
package/lib/extract.js CHANGED
@@ -1,5 +1,22 @@
1
+ const errors = require('@tryghost/errors');
2
+
1
3
  const defaultOptions = {};
2
4
 
5
+ function throwOnSymlinks(entry) {
6
+ // Check if symlink
7
+ const mode = (entry.externalFileAttributes >> 16) & 0xFFFF;
8
+ // check if it's a symlink or dir (using stat mode constants)
9
+ const IFMT = 61440;
10
+ const IFLNK = 40960;
11
+ const symlink = (mode & IFMT) === IFLNK;
12
+
13
+ if (symlink) {
14
+ throw new errors.UnsupportedMediaTypeError({
15
+ message: 'Symlinks in ZIP-files are not allowed'
16
+ });
17
+ }
18
+ }
19
+
3
20
  /**
4
21
  * Extract
5
22
  *
@@ -19,6 +36,15 @@ module.exports = (zipToExtract, destination, options) => {
19
36
 
20
37
  opts.dir = destination;
21
38
 
39
+ if (opts.onEntry) {
40
+ opts.onEntry = (entry, zipfile) => {
41
+ throwOnSymlinks(entry);
42
+ options.onEntry(entry, zipfile);
43
+ };
44
+ } else {
45
+ opts.onEntry = throwOnSymlinks;
46
+ }
47
+
22
48
  return extract(zipToExtract, opts).then(() => {
23
49
  return {path: destination};
24
50
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tryghost/zip",
3
- "version": "1.1.35",
3
+ "version": "1.1.37",
4
4
  "repository": "https://github.com/TryGhost/framework/tree/main/packages/zip",
5
5
  "author": "Ghost Foundation",
6
6
  "license": "MIT",
@@ -26,9 +26,10 @@
26
26
  "sinon": "15.0.4"
27
27
  },
28
28
  "dependencies": {
29
+ "@tryghost/errors": "^1.2.26",
29
30
  "archiver": "^5.0.0",
30
31
  "extract-zip": "^2.0.1",
31
- "fs-extra": "^10.0.0"
32
+ "fs-extra": "^11.0.0"
32
33
  },
33
- "gitHead": "4bf425a83dabe8e70ee28dffa37cf678b640068e"
34
+ "gitHead": "a8099b9b00a5236dec93250593606bdd2a746fef"
34
35
  }