compressing 1.10.3 → 2.0.1

package/README.md

@@ -75,7 +75,7 @@ fs.createReadStream('file/path/to/compress')
   .on('error', handleError);
 
 // You should take care of stream errors in caution, use pump to handle error in one place
-const pump = require('pump');
+const { pipeline: pump } = require('stream');
 const sourceStream = fs.createReadStream('file/path/to/compress');
 const gzipStream = new compressing.gzip.FileStream();
 const destStream = fs.createWriteStream('path/to/destination.gz');
@@ -169,7 +169,7 @@ const urllib = require('urllib');
 const targetDir = require('os').tmpdir();
 const compressing = require('compressing');
 
-urllib.request('http://registry.npmjs.org/pedding/-/pedding-1.1.0.tgz', {
+urllib.request('http://registry.npmjs.org/compressing/-/compressing-2.0.0.tgz', {
   streaming: true,
   followRedirect: true,
 })
@@ -193,7 +193,7 @@ function onEntry(header, stream, next) => {
   if (header.type === 'file') {
     stream.pipe(fs.createWriteStream(path.join(destDir, header.name)));
   } else { // directory
-    mkdirp(path.join(destDir, header.name), err => {
+    fs.mkdir(path.join(destDir, header.name), { recursive: true }, err => {
       if (err) return handleError(err);
       stream.resume();
     });

package/lib/tgz/file_stream.js

@@ -4,7 +4,7 @@ const tar = require('../tar');
 const gzip = require('../gzip');
 const utils = require('../utils');
 const stream = require('stream');
-const pump = require('pump');
+const { pipeline: pump } = require('stream');
 const ready = require('get-ready');
 
 class TgzFileStream extends stream.Transform {

package/lib/utils.js

@@ -2,8 +2,23 @@
 
 const fs = require('fs');
 const path = require('path');
-const mkdirp = require('mkdirp');
-const pump = require('pump');
+const { pipeline: pump } = require('stream');
+
+/**
+ * Check if childPath is within parentPath (prevents path traversal attacks)
+ * @param {string} childPath - The path to check
+ * @param {string} parentPath - The parent directory path
+ * @returns {boolean} - True if childPath is within parentPath
+ */
+function isPathWithinParent(childPath, parentPath) {
+  const normalizedChild = path.resolve(childPath);
+  const normalizedParent = path.resolve(parentPath);
+  const parentWithSep = normalizedParent.endsWith(path.sep)
+    ? normalizedParent
+    : normalizedParent + path.sep;
+  return normalizedChild === normalizedParent ||
+         normalizedChild.startsWith(parentWithSep);
+}
 
 // file/fileBuffer/stream
 exports.sourceType = source => {
@@ -90,9 +105,12 @@ exports.makeUncompressFn = StreamClass => {
     }
 
     return new Promise((resolve, reject) => {
-      mkdirp(destDir, err => {
+      fs.mkdir(destDir, { recursive: true }, err => {
         if (err) return reject(err);
 
+        // Resolve destDir to absolute path for security validation
+        const resolvedDestDir = path.resolve(destDir);
+
         let entryCount = 0;
         let successCount = 0;
         let isFinish = false;
@@ -109,11 +127,19 @@ exports.makeUncompressFn = StreamClass => {
           .on('error', reject)
           .on('entry', (header, stream, next) => {
             stream.on('end', next);
-            const destFilePath = path.join(destDir, header.name);
+            const destFilePath = path.join(resolvedDestDir, header.name);
+            const resolvedDestPath = path.resolve(destFilePath);
+
+            // Security: Validate that the entry path doesn't escape the destination directory
+            if (!isPathWithinParent(resolvedDestPath, resolvedDestDir)) {
+              console.warn(`[compressing] Skipping entry with path traversal: "${header.name}" -> "${resolvedDestPath}"`);
+              stream.resume();
+              return;
+            }
 
             if (header.type === 'file') {
               const dir = path.dirname(destFilePath);
-              mkdirp(dir, err => {
+              fs.mkdir(dir, { recursive: true }, err => {
                 if (err) return reject(err);
 
                 entryCount++;
@@ -126,9 +152,17 @@ exports.makeUncompressFn = StreamClass => {
             } else if (header.type === 'symlink') {
               const dir = path.dirname(destFilePath);
               const target = path.resolve(dir, header.linkname);
+
+              // Security: Validate that the symlink target doesn't escape the destination directory
+              if (!isPathWithinParent(target, resolvedDestDir)) {
+                console.warn(`[compressing] Skipping symlink "${header.name}": target "${target}" escapes extraction directory`);
+                stream.resume();
+                return;
+              }
+
               entryCount++;
 
-              mkdirp(dir, err => {
+              fs.mkdir(dir, { recursive: true }, err => {
                 if (err) return reject(err);
 
                 const relativeTarget = path.relative(dir, target);
@@ -139,7 +173,7 @@ exports.makeUncompressFn = StreamClass => {
                 });
               });
             } else { // directory
-              mkdirp(destFilePath, err => {
+              fs.mkdir(destFilePath, { recursive: true }, err => {
                 if (err) return reject(err);
                 stream.resume();
               });

package/lib/zip/uncompress_stream.js

@@ -2,6 +2,7 @@
 
 // https://github.com/thejoshwolfe/yauzl#no-streaming-unzip-api
 
+const debug = require('util').debuglog('compressing/zip/uncompress_stream');
 const yauzl = require('@eggjs/yauzl');
 const stream = require('stream');
 const UncompressBaseStream = require('../base_write_stream');
@@ -38,12 +39,20 @@ class ZipUncompressStream extends UncompressBaseStream {
     if (this._zipFileNameEncoding === 'utf-8') {
       this._zipFileNameEncoding = 'utf8';
     }
+    this._finalCallback = err => {
+      if (err) {
+        debug('finalCallback, error: %j', err);
+        return this.emit('error', err);
+      }
+      this.emit('finish');
+    };
 
     this[YAUZL_CALLBACK] = this[YAUZL_CALLBACK].bind(this);
 
     const sourceType = utils.sourceType(opts.source);
 
     const yauzlOpts = this._yauzlOpts = Object.assign({}, DEFAULTS, opts.yauzl);
+    debug('sourceType: %s, yauzlOpts: %j', sourceType, yauzlOpts);
     if (sourceType === 'file') {
       yauzl.open(opts.source, yauzlOpts, this[YAUZL_CALLBACK]);
       return;
@@ -60,27 +69,26 @@ class ZipUncompressStream extends UncompressBaseStream {
         .catch(e => this.emit('error', e));
       return;
     }
-
-    this.on('pipe', srcStream => {
-      srcStream.unpipe(srcStream);
-
-      utils.streamToBuffer(srcStream)
-        .then(buf => {
-          this._chunks.push(buf);
-          buf = Buffer.concat(this._chunks);
-          yauzl.fromBuffer(buf, yauzlOpts, this[YAUZL_CALLBACK]);
-        })
-        .catch(e => this.emit('error', e));
-    });
   }
 
-  _write(chunk) {
-    // push to _chunks array, this will only happen once, for stream will be unpiped.
+  _write(chunk, _encoding, callback) {
     this._chunks.push(chunk);
+    debug('write size: %d, chunks: %d', chunk.length, this._chunks.length);
+    callback();
+  }
+
+  _final(callback) {
+    const buf = Buffer.concat(this._chunks);
+    debug('final, buf size: %d, chunks: %d', buf.length, this._chunks.length);
+    this._finalCallback = callback;
+    yauzl.fromBuffer(buf, this._yauzlOpts, this[YAUZL_CALLBACK]);
   }
 
   [YAUZL_CALLBACK](err, zipFile) {
-    if (err) return this.emit('error', err);
+    if (err) {
+      debug('yauzl error', err);
+      return this._finalCallback(err);
+    }
 
     zipFile.readEntry();
 
@@ -106,17 +114,22 @@ class ZipUncompressStream extends UncompressBaseStream {
 
         if (type === 'file') {
           zipFile.openReadStream(entry, (err, readStream) => {
-            if (err) return this.emit('error', err);
+            if (err) {
+              debug('file, error: %j', err);
+              return this._finalCallback(err);
+            }
+            debug('file, header: %j', header);
             this.emit('entry', header, readStream, next);
           });
         } else { // directory
           const placeholder = new stream.Readable({ read() {} });
+          debug('directory, header: %j', header);
           this.emit('entry', header, placeholder, next);
           setImmediate(() => placeholder.emit('end'));
         }
       })
-      .on('end', () => this.emit('finish'))
-      .on('error', err => this.emit('error', err));
+      .on('end', () => this._finalCallback())
+      .on('error', err => this._finalCallback(err));
 
     function next() {
       zipFile.readEntry();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "compressing",
-  "version": "1.10.3",
+  "version": "2.0.1",
   "description": "Everything you need for compressing and uncompressing",
   "main": "index.js",
   "scripts": {
@@ -39,14 +39,12 @@
   },
   "homepage": "https://github.com/node-modules/compressing#readme",
   "dependencies": {
+    "@eggjs/yauzl": "^2.11.0",
     "flushwritable": "^1.0.0",
     "get-ready": "^1.0.0",
     "iconv-lite": "^0.5.0",
-    "mkdirp": "^0.5.1",
-    "pump": "^3.0.0",
     "streamifier": "^0.1.1",
     "tar-stream": "^1.5.2",
-    "@eggjs/yauzl": "^2.11.0",
     "yazl": "^2.4.2"
   },
   "devDependencies": {
@@ -62,6 +60,6 @@
     "uuid": "^3.0.1"
   },
   "engines": {
-    "node": ">= 4.0.0"
+    "node": ">= 18.0.0"
   }
 }