From 8563fea03ef86b73bd7f08aa9547d78f372a16fa Mon Sep 17 00:00:00 2001
From: Cade Ayres <ca469@kent.ac.uk>
Date: Sat, 16 Nov 2024 16:59:37 +0000
Subject: [PATCH] Updated extraction to extract with key of original file path,
 extracting to a safe location (#1557)

---
 src/providers/generic/zip/AdmZipProvider.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/generic/zip/AdmZipProvider.ts b/src/providers/generic/zip/AdmZipProvider.ts
index d12d14f99..001366325 100644
--- a/src/providers/generic/zip/AdmZipProvider.ts
+++ b/src/providers/generic/zip/AdmZipProvider.ts
@@ -24,9 +24,9 @@ export default class AdmZipProvider extends ZipProvider {
 
     async extractEntryTo(zip: string | Buffer, target: string, outputPath: string): Promise<void> {
         const adm = new AdmZip(zip);
-        target = target.replace(/\\/g, '/');
+        const safeTarget = target.replace(/\\/g, '/');
         outputPath = outputPath.replace(/\\/g, '/');
-        var fullPath = path.join(outputPath, target).replace(/\\/g, '/');
+        var fullPath = path.join(outputPath, safeTarget).replace(/\\/g, '/');
         if(!path.posix.normalize(fullPath).startsWith(outputPath))
         {
             throw Error("Entry " + target + " would extract outside of expected folder");