[Bug]: CBZ error of "Malicious Entry" during scan

[nichwall]

What happened?

(originally reported in Discord)
When uploading a CBZ file, an error occurs when parsing the CBZ. This is due to node-stream-zip detecting the backslashes as a potential directory traversal attack.

This is due to backslashes being used within the CBZ (such as when it is created on Windows). Recreating the CBZ with forward slashes for the directories fixed the issue and the CBZ is able to be scanned by ABS.

What did you expect to happen?

CBZ to be parsed correctly, or detection and correction of directory path if applicable.

Steps to reproduce the issue

1. Build CBZ on Windows with backslashes in the directory structure.
2. Attempt to scan book in ABS.

Audiobookshelf version

v2.17.7

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Windows

If the issue is being seen in the UI, what browsers are you seeing the problem on?

None

Logs

audiobookshelf-1  | [2025-01-06 15:48:32.914] INFO: [LibraryScanner] Starting library scan 4ff43d7d-8fe9-46fa-bed0-c107a08d7b07 for books
audiobookshelf-1  | [2025-01-06 15:48:33.096] ERROR: [parseComicMetadata] Failed to parse comic metadata at "/data/media/books/Willy Vandersteen/Suske en Wiske/Suske_En_Wiske_-_001_-_Op_het_Eiland_Amoras_-_1946.cbz" Error: Malicious entry: Suske En Wiske - 001 - Op het Eiland Amoras - 1946\001_01.webp
audiobookshelf-1  |     at ZipEntry.validateName (/server/libs/nodeStreamZip/index.js:898:13)
audiobookshelf-1  |     at FsRead.readEntriesCallback [as callback] (/server/libs/nodeStreamZip/index.js:349:17)
audiobookshelf-1  |     at FsRead.readCallback (/server/libs/nodeStreamZip/index.js:996:19)
audiobookshelf-1  |     at FSReqCallback.wrapper [as oncomplete] (node:fs:682:5)
audiobookshelf-1  | [2025-01-06 15:48:33.111] FATAL: [Server] Unhandled rejection: Error: Malicious entry: Suske En Wiske - 001 - Op het Eiland Amoras - 1946\001_01.webp

Additional Notes

No response

[advplyr]

I'm not sure how to reproduce this. I just created a CBZ on windows and it works fine. I'm not sure where backslashes are being specified?

[nichwall]

Originally posted here https://discord.com/channels/942908292873723984/942914154254176257/1325857075351261395

It looks like the backslash is a result of building the CBZ on Windows and is put into the file lookup, but I'm not sure if it is only specific software.

The error is from the path Error: Malicious entry: Suske En Wiske - 001 - Op het Eiland Amoras - 1946\001_01.webp, which has a backslash before the image name.

[advplyr]

I was able to reproduce this after I was sent the bad file. I verified that running unzip -Z1 <filename> showed backslashes in the file paths. Other CBZ files I made on Windows used forward slashes.

I found that the CBZ with backslashes was likely created using an old .NET version. Found that here antelle/node-stream-zip#62

They reference the ZIP file specs that say using forwarded slashes is a requirement:

4.4.17.1 The name of the file, with optional relative path.
The path stored MUST NOT contain a drive or
device letter, or a leading slash. All slashes
MUST be forward slashes '/' as opposed to
backwards slashes '' for compatibility with Amiga
and UNIX file systems etc. If input came from standard
input, there is no file name field.

For this reason I don't think we do anything with this issue unless it becomes a common problem in which case we could put something together to show a better error message.

[advplyr]

Actually I just realized this crashes the server so we should fix that

[advplyr]

This comic works now since the zip library in the frontend is able to extract the comic. The server will throw an error when trying to parse the metadata.