You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both upload and fetch routes extract user-supplied .tgz archives with strip: 1 but no path validation. A crafted archive can escape the extraction directory.
Fix
Add an onentry callback to verify each resolved path stays inside the target directory.
Both upload and fetch routes extract user-supplied .tgz archives with
strip: 1but no path validation. A crafted archive can escape the extraction directory.Fix
Add an
onentrycallback to verify each resolved path stays inside the target directory.