Use modified unzip to prevent zip symlink attack

7 years ago · bd87775f23
2 changed files with 2 additions and 1 deletions
--- a/bin/unzip
+++ b/bin/unzip
--- a/models/problem.js
+++ b/models/problem.js
@ -340,7 +340,8 @@ class Problem extends Model {
      await fs.remove(dir);
      await fs.ensureDir(dir);

-      await p7zip.extract(path, dir);
+      let execFileAsync = Promise.promisify(require('child_process').execFile);
+      await execFileAsync(__dirname + '/../bin/unzip', ['-j', '-o', '-d', dir, path]);
      await fs.move(path, this.getTestdataArchivePath(), { overwrite: true });
    });
  }