Set validate_entry_sizes flag to true for rubyzip 1.3.0

This flag must be set in order to use the validation against zip bombs described in rubyzip/rubyzip#403. See main repo PR ManageIQ/manageiq#19360
d-m-u · Oct 3, 2019 · 87ac686 · 87ac686
1 parent 7c9d052
commit 87ac686
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/app/models/miq_ae_yaml_export_zipfs.rb b/app/models/miq_ae_yaml_export_zipfs.rb
@@ -19,6 +19,9 @@ def write_data(base_path, export_hash)
 
   def export
     require 'zip/filesystem'
+    # we need to set this flag to true until we can upgrade to rubyzip 2.0.0
+    # see https://github.com/rubyzip/rubyzip/pull/403#issue-317103816
+    Zip.validate_entry_sizes = true
 
     Zip::File.open(@temp_file_name, Zip::File::CREATE) do |zf|
       @zip_file = zf

diff --git a/app/models/miq_ae_yaml_import_zipfs.rb b/app/models/miq_ae_yaml_import_zipfs.rb
@@ -7,6 +7,9 @@ def initialize(domain, options)
 
   def load_zip
     require 'zip/filesystem'
+    # we need to set this flag to true until we can upgrade to rubyzip 2.0.0
+    # see https://github.com/rubyzip/rubyzip/pull/403#issue-317103816
+    Zip.validate_entry_sizes = true
 
     raise MiqAeException::FileNotFound, "import file: #{@options['zip_file']} not found" \
       unless File.exist?(@options['zip_file'])

diff --git a/spec/models/miq_ae_yaml_import_export_spec.rb b/spec/models/miq_ae_yaml_import_export_spec.rb
@@ -976,6 +976,10 @@ def check_class_component_counts(counts)
 
   def create_bogus_zip_file
     require 'zip/filesystem'
+    # we need to set this flag to true until we can upgrade to rubyzip 2.0.0
+    # see https://github.com/rubyzip/rubyzip/pull/403#issue-317103816
+    Zip.validate_entry_sizes = true
+
     Zip::File.open(@zip_file, Zip::File::CREATE) do |zh|
       zh.file.open("first.txt", "w") { |f| f.puts "Hello world" }
       zh.dir.mkdir("mydir")