compressing 1.10.3 → 1.10.4

package/README.md

@@ -1,4 +1,4 @@
-# compressing
+# compressing@1
 
 [![NPM version][npm-image]][npm-url]
 [![Test coverage][codecov-image]][codecov-url]
@@ -14,6 +14,10 @@
 [download-image]: https://img.shields.io/npm/dm/compressing.svg?style=flat-square
 [download-url]: https://npmjs.org/package/compressing
 
+## ⚠️ Warning
+
+**Version 1.x is no longer maintained. Please upgrade to version 2.x as soon as possible.**
+
 The missing compressing and uncompressing lib for node.
 
 Currently supported:
@@ -26,7 +30,7 @@ Currently supported:
 ## Install
 
 ```bash
-npm install compressing
+npm install compressing@1
 ```
 
 ## Usage

package/lib/utils.js

@@ -5,6 +5,22 @@ const path = require('path');
 const mkdirp = require('mkdirp');
 const pump = require('pump');
 
+/**
+ * Check if childPath is within parentPath (prevents path traversal attacks)
+ * @param {string} childPath - The path to check
+ * @param {string} parentPath - The parent directory path
+ * @returns {boolean} - True if childPath is within parentPath
+ */
+function isPathWithinParent(childPath, parentPath) {
+  const normalizedChild = path.resolve(childPath);
+  const normalizedParent = path.resolve(parentPath);
+  const parentWithSep = normalizedParent.endsWith(path.sep)
+    ? normalizedParent
+    : normalizedParent + path.sep;
+  return normalizedChild === normalizedParent ||
+         normalizedChild.startsWith(parentWithSep);
+}
+
 // file/fileBuffer/stream
 exports.sourceType = source => {
   if (!source) return undefined;
@@ -93,6 +109,9 @@ exports.makeUncompressFn = StreamClass => {
       mkdirp(destDir, err => {
         if (err) return reject(err);
 
+        // Resolve destDir to absolute path for security validation
+        const resolvedDestDir = path.resolve(destDir);
+
         let entryCount = 0;
         let successCount = 0;
         let isFinish = false;
@@ -109,7 +128,15 @@ exports.makeUncompressFn = StreamClass => {
           .on('error', reject)
           .on('entry', (header, stream, next) => {
             stream.on('end', next);
-            const destFilePath = path.join(destDir, header.name);
+            const destFilePath = path.join(resolvedDestDir, header.name);
+            const resolvedDestPath = path.resolve(destFilePath);
+
+            // Security: Validate that the entry path doesn't escape the destination directory
+            if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
+              console.warn(`[compressing] Skipping entry with path traversal: "${header.name}" -> "${resolvedDestPath}"`);
+              stream.resume();
+              return;
+            }
 
             if (header.type === 'file') {
               const dir = path.dirname(destFilePath);
@@ -126,6 +153,14 @@ exports.makeUncompressFn = StreamClass => {
             } else if (header.type === 'symlink') {
               const dir = path.dirname(destFilePath);
               const target = path.resolve(dir, header.linkname);
+
+              // Security: Validate that the symlink target doesn't escape the destination directory
+              if (!isPathWithinParent(target, resolvedDestDir)) {
+                console.warn(`[compressing] Skipping symlink "${header.name}": target "${target}" escapes extraction directory`);
+                stream.resume();
+                return;
+              }
+
               entryCount++;
 
               mkdirp(dir, err => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "compressing",
-  "version": "1.10.3",
+  "version": "1.10.4",
   "description": "Everything you need for compressing and uncompressing",
   "main": "index.js",
   "scripts": {