You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2018/05/11 19:50:07 UTC
[3/3] commons-compress git commit: add test for path sanity check
add test for path sanity check
Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/8cc2702c
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/8cc2702c
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/8cc2702c
Branch: refs/heads/master
Commit: 8cc2702c9bc6f39bb7eaba8a35a171869bb3f394
Parents: 63eeef3
Author: Stefan Bodewig <bo...@apache.org>
Authored: Fri May 11 21:49:45 2018 +0200
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Fri May 11 21:49:45 2018 +0200
----------------------------------------------------------------------
.../archivers/examples/ExpanderTest.java | 40 +++++++++++++++++++-
1 file changed, 39 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/commons-compress/blob/8cc2702c/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
index 4fbc394..751f010 100644
--- a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
+++ b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
@@ -43,11 +43,15 @@ import org.apache.commons.compress.archivers.sevenz.SevenZOutputFile;
import org.apache.commons.compress.archivers.zip.ZipFile;
import org.apache.commons.compress.utils.IOUtils;
import org.junit.Assert;
-import org.junit.Before;
+import org.junit.Rule;
import org.junit.Test;
+import org.junit.rules.ExpectedException;
public class ExpanderTest extends AbstractTestCase {
+ @Rule
+ public ExpectedException thrown = ExpectedException.none();
+
private File archive;
@Test
@@ -107,6 +111,25 @@ public class ExpanderTest extends AbstractTestCase {
verifyTargetDir();
}
+ @Test
+ public void fileCantEscapeViaAbsolutePath() throws IOException, ArchiveException {
+ setupZip("/tmp/foo");
+ try (ZipFile f = new ZipFile(archive)) {
+ new Expander().expand(f, resultDir);
+ }
+ assertHelloWorld("tmp/foo", "1");
+ }
+
+ @Test
+ public void fileCantEscapeDoubleDotPath() throws IOException, ArchiveException {
+ thrown.expect(IOException.class);
+ thrown.expectMessage("expanding ../foo would create file outside of");
+ setupZip("../foo");
+ try (ZipFile f = new ZipFile(archive)) {
+ new Expander().expand(f, resultDir);
+ }
+ }
+
private void setup7z() throws IOException, ArchiveException {
archive = new File(dir, "test.7z");
File dummy = new File(dir, "x");
@@ -154,6 +177,21 @@ public class ExpanderTest extends AbstractTestCase {
}
}
+ private void setupZip(String entry) throws IOException, ArchiveException {
+ archive = new File(dir, "test.zip");
+ File dummy = new File(dir, "x");
+ try (OutputStream o = Files.newOutputStream(dummy.toPath())) {
+ o.write(new byte[14]);
+ }
+ try (ArchiveOutputStream aos = new ArchiveStreamFactory()
+ .createArchiveOutputStream("zip", Files.newOutputStream(archive.toPath()))) {
+ aos.putArchiveEntry(aos.createArchiveEntry(dummy, entry));
+ aos.write("Hello, world 1".getBytes(StandardCharsets.UTF_8));
+ aos.closeArchiveEntry();
+ aos.finish();
+ }
+ }
+
private void verifyTargetDir() throws IOException {
Assert.assertTrue("a has not been created", new File(resultDir, "a").isDirectory());
Assert.assertTrue("a/b has not been created", new File(resultDir, "a/b").isDirectory());