Add jwilk's path traversal tests

rubyzip · simonoff · Aug 31, 2018 · Jul 1, 2018 · Jul 1, 2018 · Aug 26, 2018
commit 9c468f30f38d09451e5a65edfff277cfe381fd49
diff --git a/test/data/jwilk-path-traversal-samples/README.md b/test/data/jwilk-path-traversal-samples/README.md
@@ -0,0 +1,5 @@
+# Path Traversal Samples
+
+Copied from https://github.com/jwilk/path-traversal-samples on 2018-08-26.
+
+License: MIT
diff --git a/test/data/jwilk-path-traversal-samples/absolute1.zip b/test/data/jwilk-path-traversal-samples/absolute1.zip
diff --git a/test/data/jwilk-path-traversal-samples/absolute2.zip b/test/data/jwilk-path-traversal-samples/absolute2.zip
diff --git a/test/data/jwilk-path-traversal-samples/dirsymlink.zip b/test/data/jwilk-path-traversal-samples/dirsymlink.zip
diff --git a/test/data/jwilk-path-traversal-samples/dirsymlink2a.zip b/test/data/jwilk-path-traversal-samples/dirsymlink2a.zip
diff --git a/test/data/jwilk-path-traversal-samples/dirsymlink2b.zip b/test/data/jwilk-path-traversal-samples/dirsymlink2b.zip
diff --git a/test/data/jwilk-path-traversal-samples/relative0.zip b/test/data/jwilk-path-traversal-samples/relative0.zip
diff --git a/test/data/jwilk-path-traversal-samples/relative2.zip b/test/data/jwilk-path-traversal-samples/relative2.zip
diff --git a/test/data/jwilk-path-traversal-samples/symlink.zip b/test/data/jwilk-path-traversal-samples/symlink.zip
diff --git a/test/path_traversal_test.rb b/test/path_traversal_test.rb
@@ -0,0 +1,88 @@
+class PathTraversalTest < MiniTest::Test
+  TEST_FILE_ROOT = File.absolute_path('test/data/jwilk-path-traversal-samples')
+
+  def setup
+    FileUtils.rm_f '/tmp/moo' # with apologies to anyone using this file
+  end
+
+  def extract_path_traversal_zip(name)
+    Zip::File.open(File.join(TEST_FILE_ROOT, name)) do |zip_file|
+      zip_file.each do |entry|
+        entry.extract
+      end
+    end
+  end
+
+  def in_tmpdir
+    Dir.mktmpdir do |tmp|
+      test_path = File.join(tmp, 'test')
+      Dir.mkdir test_path
+      Dir.chdir(test_path) do
+        yield
+      end
+    end
+  end
+
+  def test_leading_slash
+    in_tmpdir do
+      extract_path_traversal_zip 'absolute1.zip'
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_multiple_leading_slashes
+    in_tmpdir do
+      extract_path_traversal_zip 'absolute2.zip'
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_leading_dot_dot
+    in_tmpdir do
+      extract_path_traversal_zip 'relative0.zip'
+      assert !File.exist?('../moo')
+    end
+  end
+
+  def test_non_leading_dot_dot
+    in_tmpdir do
+      extract_path_traversal_zip 'relative2.zip'
+      assert !File.exist?('../moo')
+    end
+  end
+
+  def test_file_symlink
+    in_tmpdir do
+      extract_path_traversal_zip 'symlink.zip'
+      assert File.exist?('moo')
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_directory_symlink
+    in_tmpdir do
+      extract_path_traversal_zip 'dirsymlink.zip'
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_two_directory_symlinks_a
+    in_tmpdir do
+      # Can't create par/moo because the symlink par is skipped.
+      assert_raises Errno::ENOENT do
+        extract_path_traversal_zip 'dirsymlink2a.zip'
+      end
+      assert File.exist?('cur')
+      assert_equal '.', File.readlink('cur')
+    end
+  end
+
+  def test_two_directory_symlinks_b
+    in_tmpdir do
+      extract_path_traversal_zip 'dirsymlink2b.zip'
+      assert File.exist?('cur')
+      assert_equal '.', File.readlink('cur')
+      assert !File.exist?('../moo')
+    end
+  end
+end