fix: resolve both target and entry path

Danny Grander · Danny Grander · commit 38cb4a4a1615 · 2018-04-24T19:41:50.000+03:00
diff --git a/adm-zip.js b/adm-zip.js
@@ -354,7 +354,7 @@ module.exports = function(/*String*/input) {
 
 
             var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));
-            if(!target.startsWith(targetPath)) {
+            if(!pth.resolve(target).startsWith(pth.resolve(targetPath))) {
                 throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
             }
 
@@ -432,7 +432,7 @@ module.exports = function(/*String*/input) {
             _zip.entries.forEach(function(entry) {
                 entryName = entry.entryName.toString();
 
-                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                if(!pth.resolve(targetPath, entryName).startsWith(pth.resolve(targetPath))) {
                     throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
                 }
 
@@ -478,7 +478,7 @@ module.exports = function(/*String*/input) {
                     entryName = escapeFileName(entryName)
                 }
 
-                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                if(!pth.resolve(targetPath, entryName).startsWith(pth.resolve(targetPath))) {
                   throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -354,7 +354,7 @@ module.exports = function(/String/input) {`
`354`	`354`
`355`	`355`
`356`	`356`	`var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));`
`357`		`- if(!target.startsWith(targetPath)) {`
	`357`	`+ if(!pth.resolve(target).startsWith(pth.resolve(targetPath))) {`
`358`	`358`	`throw Utils.Errors.INVALID_FILENAME + ": " + entryName;`
`359`	`359`	`}`
`360`	`360`
`@@ -432,7 +432,7 @@ module.exports = function(/String/input) {`
`432`	`432`	`_zip.entries.forEach(function(entry) {`
`433`	`433`	`entryName = entry.entryName.toString();`
`434`	`434`
`435`		`- if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {`
	`435`	`+ if(!pth.resolve(targetPath, entryName).startsWith(pth.resolve(targetPath))) {`
`436`	`436`	`throw Utils.Errors.INVALID_FILENAME + ": " + entryName;`
`437`	`437`	`}`
`438`	`438`
`@@ -478,7 +478,7 @@ module.exports = function(/String/input) {`
`478`	`478`	`entryName = escapeFileName(entryName)`
`479`	`479`	`}`
`480`	`480`
`481`		`- if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {`
	`481`	`+ if(!pth.resolve(targetPath, entryName).startsWith(pth.resolve(targetPath))) {`
`482`	`482`	`throw Utils.Errors.INVALID_FILENAME + ": " + entryName;`
`483`	`483`	`}`
`484`	`484`