TypeScript Snippet #01

This challenge covers the review of a snippet of code written in TypeScript

PRO
Tier
Easy
< 1 Hr.
786

Course


The Code Review Snippet challenges are designed to provide you with small snippets of vulnerable code, allowing you to practice identifying and understanding security issues. In this TypeScript challenge, we examine a function named `extract`, which takes a zip file as input and extracts its contents. The function utilizes the `yauzl` library to open and read entries from the zip file, writing the extracted files to the filesystem.

The key issue in this code is located on line 13, where the `entry.fileName` from the zip file is directly used to create a write stream. This approach makes the code susceptible to directory traversal attacks. An attacker could craft a zip file with malicious filenames like `../../../`, allowing them to overwrite critical files on the filesystem and potentially gain unauthorized access or cause unexpected behavior in the application.

Want to learn more? Get started with PentesterLab Pro! GO PRO