From fa1163bbb4417b899aab8cc68bbe74bcbe85aa01 Mon Sep 17 00:00:00 2001
From: Chaitanya Mishra <chaitanyamishra.ai@gmail.com>
Date: Tue, 13 Jan 2026 16:39:43 +0530
Subject: [PATCH] fix(unzip): harden zip-slip path check

---
 src/test/fixtures/zip-files/index.ts            |   1 +
 .../zip-slip-prefix/archive.zip                 | Bin 0 -> 219 bytes
 src/unzip.ts                                    |  16 +++++-----------
 3 files changed, 6 insertions(+), 11 deletions(-)
 create mode 100644 src/test/fixtures/zip-files/node-unzipper-testData/zip-slip-prefix/archive.zip

diff --git a/src/test/fixtures/zip-files/index.ts b/src/test/fixtures/zip-files/index.ts
index c67c361d708..8997ebd3d57 100644
--- a/src/test/fixtures/zip-files/index.ts
+++ b/src/test/fixtures/zip-files/index.ts
@@ -10,6 +10,7 @@ export const ZIP_CASES = [
   { name: "compressed-standard" },
   { name: "uncompressed" },
   { name: "zip-slip", wantErr: "a path outside of" },
+  { name: "zip-slip-prefix", wantErr: "a path outside of" },
   { name: "zip64" },
 ].map(({ name, wantErr }) => ({
   name,
diff --git a/src/test/fixtures/zip-files/node-unzipper-testData/zip-slip-prefix/archive.zip b/src/test/fixtures/zip-files/node-unzipper-testData/zip-slip-prefix/archive.zip
new file mode 100644
index 0000000000000000000000000000000000000000..3d658a129a5fbf534defe88fec7c527144c2ed72
GIT binary patch
literal 219
zcmWIWW@h1H0D;Cv-I%Jg_S;#3Y!FspkYUi%)33@b&@IjZ5(P!6X_*zesb!ft`XEBD
zq@pA=gp+}}N--@Hgi9;985mi<GBPl*fXoA_;R^6(WRhdXWq|}p9RpAU!;(f2i?DU9
Y5bMya3h-uS1L<c3!ZaWq58^NY0KOM4{Qv*}

literal 0
HcmV?d00001

diff --git a/src/unzip.ts b/src/unzip.ts
index 3edd9687382..75b19d9b5d8 100644
--- a/src/unzip.ts
+++ b/src/unzip.ts
@@ -124,17 +124,11 @@ const extractEntriesFromBuffer = async (data: Buffer, outputDir: string): Promis
 };
 
 function isChildDir(parentDir: string, potentialChild: string): boolean {
-  try {
-    // 1. Resolve and normalize both paths to absolute paths
-    const resolvedParent = path.resolve(parentDir);
-    const resolvedChild = path.resolve(potentialChild);
-    // The child path must start with the parent path and not be the same path.
-    return resolvedChild.startsWith(resolvedParent) && resolvedChild !== resolvedParent;
-  } catch (error) {
-    // If either path does not exist, an error will be thrown.
-    // In this case, the potential child cannot be a subdirectory.
-    return false;
-  }
+  const resolvedParent = path.resolve(parentDir);
+  const resolvedChild = path.resolve(potentialChild);
+  const relative = path.relative(resolvedParent, resolvedChild);
+  // relative path must not escape the parent and must not be the parent itself
+  return relative !== "" && !relative.startsWith("..") && !path.isAbsolute(relative);
 }
 
 export const unzip = async (inputPath: string, outputDir: string): Promise<void> => {