compressing 1.10.2 → 1.10.4

package/README.md

@@ -1,8 +1,11 @@
-# compressing
+# compressing@1
 
 [![NPM version][npm-image]][npm-url]
 [![Test coverage][codecov-image]][codecov-url]
 [![npm download][download-image]][download-url]
+[![Node.js Version](https://img.shields.io/node/v/compressing.svg?style=flat)](https://nodejs.org/en/download/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)
+![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/node-modules/compressing)
 
 [npm-image]: https://img.shields.io/npm/v/compressing.svg?style=flat-square
 [npm-url]: https://npmjs.org/package/compressing
@@ -11,6 +14,10 @@
 [download-image]: https://img.shields.io/npm/dm/compressing.svg?style=flat-square
 [download-url]: https://npmjs.org/package/compressing
 
+## ⚠️ Warning
+
+**Version 1.x is no longer maintained. Please upgrade to version 2.x as soon as possible.**
+
 The missing compressing and uncompressing lib for node.
 
 Currently supported:
@@ -23,7 +30,7 @@ Currently supported:
 ## Install
 
 ```bash
-npm install compressing
+npm install compressing@1
 ```
 
 ## Usage
@@ -364,15 +371,9 @@ Due to the design of the .zip file format, it's impossible to interpret a .zip f
 Although the API is streaming style(try to keep it handy), it still loads all data into memory.
 
 <https://github.com/thejoshwolfe/yauzl#no-streaming-unzip-api>
-<!-- GITCONTRIBUTOR_START -->
 
 ## Contributors
 
-|[<img src="https://avatars.githubusercontent.com/u/156269?v=4" width="100px;"/><br/><sub><b>fengmk2</b></sub>](https://github.com/fengmk2)<br/>|[<img src="https://avatars.githubusercontent.com/u/456108?v=4" width="100px;"/><br/><sub><b>shaoshuai0102</b></sub>](https://github.com/shaoshuai0102)<br/>|[<img src="https://avatars.githubusercontent.com/u/360661?v=4" width="100px;"/><br/><sub><b>popomore</b></sub>](https://github.com/popomore)<br/>|[<img src="https://avatars.githubusercontent.com/u/32174276?v=4" width="100px;"/><br/><sub><b>semantic-release-bot</b></sub>](https://github.com/semantic-release-bot)<br/>|[<img src="https://avatars.githubusercontent.com/u/9692408?v=4" width="100px;"/><br/><sub><b>DiamondYuan</b></sub>](https://github.com/DiamondYuan)<br/>|[<img src="https://avatars.githubusercontent.com/u/101238421?v=4" width="100px;"/><br/><sub><b>acyza</b></sub>](https://github.com/acyza)<br/>|
-| :---: | :---: | :---: | :---: | :---: | :---: |
-|[<img src="https://avatars.githubusercontent.com/u/13938334?v=4" width="100px;"/><br/><sub><b>bytemain</b></sub>](https://github.com/bytemain)<br/>|[<img src="https://avatars.githubusercontent.com/u/20432815?v=4" width="100px;"/><br/><sub><b>rickyes</b></sub>](https://github.com/rickyes)<br/>|[<img src="https://avatars.githubusercontent.com/u/8382136?v=4" width="100px;"/><br/><sub><b>Ryqsky</b></sub>](https://github.com/Ryqsky)<br/>|[<img src="https://avatars.githubusercontent.com/u/47357585?v=4" width="100px;"/><br/><sub><b>songhn233</b></sub>](https://github.com/songhn233)<br/>|[<img src="https://avatars.githubusercontent.com/u/160386?v=4" width="100px;"/><br/><sub><b>Infiltrator</b></sub>](https://github.com/Infiltrator)<br/>|[<img src="https://avatars.githubusercontent.com/u/13861843?v=4" width="100px;"/><br/><sub><b>ZeekoZhu</b></sub>](https://github.com/ZeekoZhu)<br/>|
-[<img src="https://avatars.githubusercontent.com/u/6897780?v=4" width="100px;"/><br/><sub><b>killagu</b></sub>](https://github.com/killagu)<br/>|[<img src="https://avatars.githubusercontent.com/u/59508678?v=4" width="100px;"/><br/><sub><b>okaponta</b></sub>](https://github.com/okaponta)<br/>|[<img src="https://avatars.githubusercontent.com/u/9857273?v=4" width="100px;"/><br/><sub><b>ShadyZOZ</b></sub>](https://github.com/ShadyZOZ)<br/>
-
-This project follows the git-contributor [spec](https://github.com/xudafeng/git-contributor), auto updated at `Thu Aug 03 2023 01:39:37 GMT+0800`.
+[![Contributors](https://contrib.rocks/image?repo=node-modules/compressing)](https://github.com/node-modules/compressing/graphs/contributors)
 
-<!-- GITCONTRIBUTOR_END -->
+Made with [contributors-img](https://contrib.rocks).

package/lib/utils.js

@@ -5,6 +5,22 @@ const path = require('path');
 const mkdirp = require('mkdirp');
 const pump = require('pump');
 
+/**
+ * Check if childPath is within parentPath (prevents path traversal attacks)
+ * @param {string} childPath - The path to check
+ * @param {string} parentPath - The parent directory path
+ * @returns {boolean} - True if childPath is within parentPath
+ */
+function isPathWithinParent(childPath, parentPath) {
+  const normalizedChild = path.resolve(childPath);
+  const normalizedParent = path.resolve(parentPath);
+  const parentWithSep = normalizedParent.endsWith(path.sep)
+    ? normalizedParent
+    : normalizedParent + path.sep;
+  return normalizedChild === normalizedParent ||
+         normalizedChild.startsWith(parentWithSep);
+}
+
 // file/fileBuffer/stream
 exports.sourceType = source => {
   if (!source) return undefined;
@@ -93,6 +109,9 @@ exports.makeUncompressFn = StreamClass => {
       mkdirp(destDir, err => {
         if (err) return reject(err);
 
+        // Resolve destDir to absolute path for security validation
+        const resolvedDestDir = path.resolve(destDir);
+
         let entryCount = 0;
         let successCount = 0;
         let isFinish = false;
@@ -109,31 +128,53 @@ exports.makeUncompressFn = StreamClass => {
           .on('error', reject)
           .on('entry', (header, stream, next) => {
             stream.on('end', next);
+            const destFilePath = path.join(resolvedDestDir, header.name);
+            const resolvedDestPath = path.resolve(destFilePath);
+
+            // Security: Validate that the entry path doesn't escape the destination directory
+            if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
+              console.warn(`[compressing] Skipping entry with path traversal: "${header.name}" -> "${resolvedDestPath}"`);
+              stream.resume();
+              return;
+            }
 
             if (header.type === 'file') {
-              const fullpath = path.join(destDir, header.name);
-              mkdirp(path.dirname(fullpath), err => {
+              const dir = path.dirname(destFilePath);
+              mkdirp(dir, err => {
                 if (err) return reject(err);
 
                 entryCount++;
-                pump(stream, fs.createWriteStream(fullpath, { mode: opts.mode || header.mode }), err => {
+                pump(stream, fs.createWriteStream(destFilePath, { mode: opts.mode || header.mode }), err => {
                   if (err) return reject(err);
                   successCount++;
                   done();
                 });
               });
             } else if (header.type === 'symlink') {
-              // symlink
-              const src = path.join(destDir, header.name);
-              const target = path.resolve(path.dirname(src), header.linkname);
+              const dir = path.dirname(destFilePath);
+              const target = path.resolve(dir, header.linkname);
+
+              // Security: Validate that the symlink target doesn't escape the destination directory
+              if (!isPathWithinParent(target, resolvedDestDir)) {
+                console.warn(`[compressing] Skipping symlink "${header.name}": target "${target}" escapes extraction directory`);
+                stream.resume();
+                return;
+              }
+
               entryCount++;
-              fs.symlink(target, src, err => {
+
+              mkdirp(dir, err => {
                 if (err) return reject(err);
-                successCount++;
-                stream.resume();
+
+                const relativeTarget = path.relative(dir, target);
+                fs.symlink(relativeTarget, destFilePath, err => {
+                  if (err) return reject(err);
+                  successCount++;
+                  stream.resume();
+                });
               });
             } else { // directory
-              mkdirp(path.join(destDir, header.name), err => {
+              mkdirp(destFilePath, err => {
                 if (err) return reject(err);
                 stream.resume();
               });
@@ -175,7 +216,7 @@ function normalizePath(fileName) {
   return fileName;
 }
 
-exports.stripFileName = (strip, fileName, type) => {
+function stripFileName(strip, fileName, type) {
   // before
   // node/package.json
   // node/lib/index.js
@@ -218,4 +259,6 @@ exports.stripFileName = (strip, fileName, type) => {
 
   strip = Math.min(strip, s.length - 1);
   return s.slice(strip).join('/') || '/';
-};
+}
+
+exports.stripFileName = stripFileName;

package/package.json

@@ -1,10 +1,9 @@
 {
   "name": "compressing",
-  "version": "1.10.2",
+  "version": "1.10.4",
   "description": "Everything you need for compressing and uncompressing",
   "main": "index.js",
   "scripts": {
-    "contributor": "git-contributor",
     "test:ts": "tsc -p ./test/fixtures/types/tsconfig.json",
     "test:js": "egg-bin test --ts false",
     "test": "npm run test:js && npm run test:ts",
@@ -57,7 +56,6 @@
     "egg-bin": "6",
     "eslint": "8",
     "eslint-config-egg": "12",
-    "git-contributor": "2",
     "mm": "^2.0.0",
     "mz-modules": "^2.1.0",
     "typescript": "5",