add test for path sanity check
Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/8cc2702c Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/8cc2702c Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/8cc2702c Branch: refs/heads/master Commit: 8cc2702c9bc6f39bb7eaba8a35a171869bb3f394 Parents: 63eeef3 Author: Stefan Bodewig <bode...@apache.org> Authored: Fri May 11 21:49:45 2018 +0200 Committer: Stefan Bodewig <bode...@apache.org> Committed: Fri May 11 21:49:45 2018 +0200 ---------------------------------------------------------------------- .../archivers/examples/ExpanderTest.java | 40 +++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-compress/blob/8cc2702c/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java index 4fbc394..751f010 100644 --- a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java +++ b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java @@ -43,11 +43,15 @@ import org.apache.commons.compress.archivers.sevenz.SevenZOutputFile; import org.apache.commons.compress.archivers.zip.ZipFile; import org.apache.commons.compress.utils.IOUtils; import org.junit.Assert; -import org.junit.Before; +import org.junit.Rule; import org.junit.Test; +import org.junit.rules.ExpectedException; public class ExpanderTest extends AbstractTestCase { + @Rule + public ExpectedException thrown = ExpectedException.none(); + private File archive; @Test @@ -107,6 +111,25 @@ public class ExpanderTest extends AbstractTestCase { verifyTargetDir(); } + @Test + public void fileCantEscapeViaAbsolutePath() throws IOException, ArchiveException { + setupZip("/tmp/foo"); + try (ZipFile f = new ZipFile(archive)) { + new Expander().expand(f, resultDir); + } + assertHelloWorld("tmp/foo", "1"); + } + + @Test + public void fileCantEscapeDoubleDotPath() throws IOException, ArchiveException { + thrown.expect(IOException.class); + thrown.expectMessage("expanding ../foo would create file outside of"); + setupZip("../foo"); + try (ZipFile f = new ZipFile(archive)) { + new Expander().expand(f, resultDir); + } + } + private void setup7z() throws IOException, ArchiveException { archive = new File(dir, "test.7z"); File dummy = new File(dir, "x"); @@ -154,6 +177,21 @@ public class ExpanderTest extends AbstractTestCase { } } + private void setupZip(String entry) throws IOException, ArchiveException { + archive = new File(dir, "test.zip"); + File dummy = new File(dir, "x"); + try (OutputStream o = Files.newOutputStream(dummy.toPath())) { + o.write(new byte[14]); + } + try (ArchiveOutputStream aos = new ArchiveStreamFactory() + .createArchiveOutputStream("zip", Files.newOutputStream(archive.toPath()))) { + aos.putArchiveEntry(aos.createArchiveEntry(dummy, entry)); + aos.write("Hello, world 1".getBytes(StandardCharsets.UTF_8)); + aos.closeArchiveEntry(); + aos.finish(); + } + } + private void verifyTargetDir() throws IOException { Assert.assertTrue("a has not been created", new File(resultDir, "a").isDirectory()); Assert.assertTrue("a/b has not been created", new File(resultDir, "a/b").isDirectory());
