lineaje-labs-gos · vgauravk · Oct 13, 2025 · Oct 15, 2025
diff --git a/lib/load.js b/lib/load.js
@@ -18,9 +18,30 @@ module.exports = function(data, options) {
 
     zipEntries = new ZipEntries(data, options);
     files = zipEntries.files;
+
+    function sanitizeFileName(name) {
+        if (!name) return null;
+        name = name.replace(/\\/g, '/');
+        name = name.replace(/^([A-Za-z]:)?[\/]+/, '');
+        var parts = [];
+        name.split('/').forEach(function(part) {
+            if (part === '' || part === '.') return;
+            if (part === '..') {
+                if (parts.length > 0) parts.pop();
+            } else {
+                parts.push(part);
+            }
+        });
+        return parts.join('/');
+    }
+
     for (i = 0; i < files.length; i++) {
         input = files[i];
-        this.file(input.fileNameStr, input.decompressed, {
+        var safeName = sanitizeFileName(input.fileNameStr);
+        if (!safeName) {
+            continue;
+        }
+        this.file(safeName, input.decompressed, {
             binary: true,
             optimizedBinaryString: true,
             date: input.date,

diff --git a/test/test.js b/test/test.js
@@ -1468,6 +1468,42 @@ test("createFolders works on a folder", function () {
    equal(zip.files["true/"].unixPermissions, null, "the options are not propagated");
 });
 
+test("Prevent Zip Slip", function () {
+    stop(); // for async-like control
+
+    try {
+        var zip = new JSZip();
+        zip.file("../evil.txt", "malicious content");
+
+        // synchronous generate in 2.7.0
+        var content = zip.generate({ type: "nodebuffer" });
+
+        var fs = require("fs");
+        var path = require("path");
+        var os = require("os");
+
+        var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "ziptest-"));
+        var zipPath = path.join(tmpDir, "test.zip");
+        fs.writeFileSync(zipPath, content);
+
+        var JSZip2 = require("../lib");
+        var data = fs.readFileSync(zipPath);
+        var loadedZip = new JSZip2(data);
+
+        var entryNames = Object.keys(loadedZip.files);
+        var hasTraversal = entryNames.some(function (entry) {
+            return entry.includes("..");
+        });
+
+        ok(!hasTraversal, "Zip Slip prevented: no directory traversal entries allowed");
+        start();
+    } catch (err) {
+        ok(true, "Extraction blocked or error thrown: " + err.message);
+        start();
+    }
+});
+
+
 
 // touch file_{666,640,400,755}
 // mkdir dir_{777,755,500}