🛡️ Sentinel: [CRITICAL] Fix Zip Slip (path traversal) vulnerability in zip extraction

[dttdrv]

🚨 Severity: CRITICAL
💡 Vulnerability: The backend data processing scripts (scripts/processGeoNames.cjs, scripts/processAllCountries.cjs, scripts/processFullBulgaria.cjs) were using adm-zip's extractAllTo function. This function does not validate if the entries within the zip archive are attempting to break out of the target directory (e.g. using ../../). This is known as a "Zip Slip" vulnerability, which could lead to arbitrary file writes during data processing.
🎯 Impact: If a malicious ZIP file were substituted or fetched during the build process, it could overwrite critical system files or inject malicious code onto the host server/machine running the build step.
🔧 Fix: Replaced zip.extractAllTo with a secure manual extraction loop. The code now iterates over each entry, constructs the targetPath, and strictly checks if it falls within the intended resolvedDest directory. Any entry attempting path traversal is safely skipped.
✅ Verification:

• Added a dedicated test script (tests/verifyzipslipfix.cjs) that simulates a malicious zip file. It ensures the traversal is successfully blocked.
• Appended "test:zipslip" to package.json for CI enforcement.
• Successfully verified with pnpm lint, pnpm test, and pnpm build.

---

PR created automatically by Jules for task 3361689943883600975 started by @dttdrv

[cloudflare-workers-and-pages]

Deploying schoolmap with    Cloudflare Pages

Latest commit:	8a5685e
Status:	✅  Deploy successful!
Preview URL:	https://9c82d0f0.schoolmap.pages.dev
Branch Preview URL:	https://jules-sentinel-zip-slip-fix.schoolmap.pages.dev

View logs

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[Copilot]

Pull request overview

This PR addresses a critical Zip Slip (path traversal) risk in the repository’s GeoNames data-processing scripts by replacing adm-zip bulk extraction with per-entry validation to ensure ZIP entries cannot write outside the intended destination directory.

Changes:

• Replaced adm-zip’s extractAllTo(...) usage with a manual extraction loop that skips entries resolving outside the destination directory.
• Added a standalone Node test script to simulate a malicious ZIP entry and verify traversal is blocked.
• Added a test:zipslip script to package.json to make the check runnable in CI.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/verifyzipslipfix.cjs	Adds a regression test that simulates a traversal entry and asserts it is blocked.
scripts/processGeoNames.cjs	Implements per-entry path validation during ZIP extraction to prevent Zip Slip.
scripts/processFullBulgaria.cjs	Implements the same safe extraction logic for BG.zip processing.
scripts/processAllCountries.cjs	Implements the same safe extraction logic for multi-country ZIP processing.
package.json	Adds test:zipslip script to run the new verification test.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Zip Slip prevention logic is repeated in multiple processing scripts. To keep the security check consistent, consider centralizing it in a shared helper (scripts/utils/...) and calling it from here.

[Copilot]

This test only verifies that a malicious entry is skipped, but it doesn’t validate that a normal (non-traversal) entry still extracts successfully. Consider adding both a safe entry (e.g. nested path under destDir) and a malicious entry to the zip, then asserting the safe file exists inside destDir after extraction and the malicious path does not.

[Copilot]

Adding only a namespaced script (test:zipslip) may not be picked up by CI setups that run the default npm test / pnpm test. Consider also adding/updating a top-level test script to run this check (and any other tests) so it is enforced consistently.

Suggested change

	"preview": "vite preview",
	"preview": "vite preview",
	"test": "npm run test:zipslip",

[Copilot]

The new safe-zip extraction logic is duplicated here (and in the other GeoNames scripts). Consider moving this loop into a shared helper (e.g., scripts/utils/extractZipSafe.cjs) to avoid the three implementations drifting over time and to make future security fixes one-shot.

[Copilot]

This safe-zip extraction loop is duplicated across multiple scripts in this PR. To reduce maintenance risk (especially for security logic), consider extracting it into a shared utility under scripts/utils and reusing it from each script.