Improve unarchive inspection (#1899)

jfrog · Apr 23, 2023 · ed8ce92 · ed8ce92
1 parent 56e406d
commit ed8ce92
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 44 deletions.
diff --git a/artifactory/cli.go b/artifactory/cli.go
@@ -2686,6 +2686,7 @@ func createDefaultDownloadSpec(c *cli.Context) (*spec.SpecFiles, error) {
 		Exclusions(cliutils.GetStringsArrFlagValue(c, "exclusions")).
 		Flat(c.Bool("flat")).
 		Explode(c.String("explode")).
+		BypassArchiveInspection(c.Bool("bypass-archive-inspection")).
 		IncludeDirs(c.Bool("include-dirs")).
 		Target(c.Args().Get(1)).
 		ArchiveEntries(c.String("archive-entries")).

diff --git a/documentation/CLI-for-JFrog-Artifactory.md b/documentation/CLI-for-JFrog-Artifactory.md
@@ -230,7 +230,7 @@ This command is used to upload files to Artifactory.
 | --dry-run | \[Default: false\]<br><br>If true, the command only indicates which artifacts would have been uploaded<br><br>If false, the command is fully executed and uploads artifacts as specified |
 | --symlinks | \[Default: false\]<br><br>If true, the command will preserve the soft links structure in Artifactory. The **[symlink](#CLIforJFrogArtifactory-StoringSymlinksinArtifactory)** file representation will contain the symbolic link and checksum properties. |
 | --explode | \[Default: false\]<br><br>If true, the command will extract an archive containing multiple artifacts after it is deployed to Artifactory, while maintaining the archive's file structure. |
-| --include-dirs | \[Default: false\]<br><br>If true, the source path applies to bottom-chain directories and not only to files. Botton-chain directories are either empty or do not include other directories that match the source path. |
+| --include-dirs | \[Default: false\]<br><br>If true, the source path applies to bottom-chain directories and not only to files. Bottom-chain directories are either empty or do not include other directories that match the source path. |
 | --exclusions | \[Optional\]<br><br>A list of Semicolon-separated exclude patterns. Allows using wildcards, regular expressions or ANT patterns, according to the value of the-_-regexp_ and _--ant_ options. Please read the _--regexp_ and _--ant_ options description for more information. |
 | --sync-deletes | \[Optional\]<br><br>Specific path in Artifactory, under which to sync artifacts after the upload. After the upload, this path will include only the artifacts uploaded during this upload operation. The other files under this path will be deleted. |
 | --quiet | \[Default: false\]<br><br>If true, the delete confirmation message is skipped. |
@@ -326,7 +326,7 @@ This command is used to download files from Artifactory.
 | --dry-run | \[Default: false\]<br><br>If true, the command only indicates which artifacts would have been downloaded.<br><br>If false, the command is fully executed and downloads artifacts as specified. |
 | --explode | \[Default: false\]<br><br>Set to true to extract an archive after it is downloaded from Artifactory.<br><br>Supported compression formats: br, bz2, gz, lz4, sz, xz, zstd.<br><br>Supported archive formats: zip, tar (including any compressed variants like tar.gz), rar. |
 | --validate-symlinks | \[Default: false\]<br><br>If true, the command will validate that **[symlinks](#CLIforJFrogArtifactory-StoringSymlinksinArtifactory)** are pointing to existing and unchanged files, by comparing their sha1. Applicable to files and not directories. |
-| --include-dirs | \[Default: false\]<br><br>If true, the source path applies to bottom-chain directories and not only to files. Botton-chain directories are either empty or do not include other directories that match the source path. |
+| --include-dirs | \[Default: false\]<br><br>If true, the source path applies to bottom-chain directories and not only to files. Bottom-chain directories are either empty or do not include other directories that match the source path. |
 | --exclusions | A list of Semicolon-separated exclude patterns. Allows using wildcards. |
 | --sync-deletes | \[Optional\]<br><br>Specific path in the local file system, under which to sync dependencies after the download. After the download, this path will include only the dependencies downloaded during this download operation. The other files under this path will be deleted. |
 | --quiet | \[Default: false\]<br><br>If true, the delete confirmation message is skipped. |

diff --git a/go.mod b/go.mod
@@ -121,8 +121,8 @@ require (
 
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230316095417-a9f6b73206d7
 
-replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230421110512-24531b843d73
+replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230423061743-def5242e8ac8
 
-// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230403151438-7b671f1f663a
+replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230423063831-5d02853d5601
 
-// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.5-0.20221107113836-a4c9225c690e
+replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27
diff --git a/go.sum b/go.sum
@@ -240,12 +240,12 @@ github.com/jedib0t/go-pretty/v6 v6.4.6/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVf
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/jfrog/build-info-go v1.9.2 h1:gSX9PH3whFcAMtM9dlPxRE7u9YuYcx8IkfVXQKRjWw0=
 github.com/jfrog/build-info-go v1.9.2/go.mod h1:hHXyLsG0SW1jQa4g6q8x2LGAvvX/MMqWVFTcIUAF2PI=
-github.com/jfrog/gofrog v1.2.5 h1:jCgJC0iGQ8bU7jCC+YEFJTNINyngApIrhd8BjZAVRIE=
-github.com/jfrog/gofrog v1.2.5/go.mod h1:o00tSRff6IapTgaCMuX1Cs9MH08Y1JqnsKgRtx91Gc4=
-github.com/jfrog/jfrog-cli-core/v2 v2.31.2 h1:vrYy6sJzu7AG6l1mnMrnOiy+KQk5Q2SHE9jxpo9oaTY=
-github.com/jfrog/jfrog-cli-core/v2 v2.31.2/go.mod h1:FCDD9AMBQyUtfc517U3nDIeFteEXVZmpINn0x93y6nA=
-github.com/jfrog/jfrog-client-go v1.28.1-0.20230421110512-24531b843d73 h1:LNxFfHaS5WMLDf7rTWr8Uvgi+fFINBuBVZYsNZtvx4Q=
-github.com/jfrog/jfrog-client-go v1.28.1-0.20230421110512-24531b843d73/go.mod h1:ULqUGW9pie9xZCDoFO3JyWr6wRR/rp+qzOvAXzIVr+0=
+github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 h1:jX3UD9qVfj9cuyOe7pN7LlB9JKH5A/3vctjnBpWCKsU=
+github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
+github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230423063831-5d02853d5601 h1:MHOaPGT0teVWb9H+yCAhatifcj6z0g7oW8nf0lOQz44=
+github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230423063831-5d02853d5601/go.mod h1:zdbsIPETzd5S/Q9wg0OF2vZKF4IiL+TizdNGV2sdqK0=
+github.com/jfrog/jfrog-client-go v1.28.1-0.20230423061743-def5242e8ac8 h1:ttTpZzsbKo8eGHr5EqiVPJgY6IUG2BM6bwApixUnJv8=
+github.com/jfrog/jfrog-client-go v1.28.1-0.20230423061743-def5242e8ac8/go.mod h1:X5LKqXKQByyxVvP/MpqYQZdR5eIvdoC6uyn6EtKw8H0=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jszwec/csvutil v1.8.0 h1:G7vS2LGdpZZDH1HmHeNbxOaJ/ZnJlpwGFvOkTkJzzNk=

diff --git a/plugins/commands/install.go b/plugins/commands/install.go
@@ -276,5 +276,5 @@ func downloadFromArtifactory(downloadDetails *httpclient.DownloadFileDetails, ht
 		return
 	}
 	log.Info("Downloading: " + downloadDetails.FileName)
-	return client.DownloadFileWithProgress(downloadDetails, "", httpDetails, false, progressMgr)
+	return client.DownloadFileWithProgress(downloadDetails, "", httpDetails, false, false, progressMgr)
 }
diff --git a/schema/filespec-schema.json b/schema/filespec-schema.json
@@ -83,6 +83,12 @@
         "description": "If true, archive file is extracted after the operation. The archived file itself is deleted. The supported archive types are: zip, tar; tar.gz; and tgz.",
         "default": "false"
       },
+      "bypass-archive-inspection": {
+        "type": "string",
+        "enum": ["true", "false"],
+        "description": "If true, bypass the security inspection the archive go through before it is unarchived.",
+        "default": "false"
+      },
       "flat": {
         "type": "string",
         "enum": ["true", "false"],
@@ -98,7 +104,7 @@
       "includeDirs": {
         "type": "string",
         "enum": ["true", "false"],
-        "description": "If true, the source path applies to bottom-chain directories and not only to files. Botton-chain directories are either empty or do not include other directories that match the source path.",
+        "description": "If true, the source path applies to bottom-chain directories and not only to files. Bottom-chain directories are either empty or do not include other directories that match the source path.",
         "default": "false"
       },
       "limit": {

diff --git a/utils/cliutils/commandsflags.go b/utils/cliutils/commandsflags.go
@@ -163,35 +163,36 @@ const (
 	module      = "module"
 
 	// Generic commands flags
-	exclusions       = "exclusions"
-	recursive        = "recursive"
-	flat             = "flat"
-	build            = "build"
-	excludeArtifacts = "exclude-artifacts"
-	includeDeps      = "include-deps"
-	regexpFlag       = "regexp"
-	retries          = "retries"
-	retryWaitTime    = "retry-wait-time"
-	dryRun           = "dry-run"
-	explode          = "explode"
-	includeDirs      = "include-dirs"
-	props            = "props"
-	targetProps      = "target-props"
-	excludeProps     = "exclude-props"
-	failNoOp         = "fail-no-op"
-	threads          = "threads"
-	syncDeletes      = "sync-deletes"
-	quiet            = "quiet"
-	bundle           = "bundle"
-	publicGpgKey     = "gpg-key"
-	archiveEntries   = "archive-entries"
-	detailedSummary  = "detailed-summary"
-	archive          = "archive"
-	syncDeletesQuiet = syncDeletes + "-" + quiet
-	antFlag          = "ant"
-	fromRt           = "from-rt"
-	transitive       = "transitive"
-	Status           = "status"
+	exclusions              = "exclusions"
+	recursive               = "recursive"
+	flat                    = "flat"
+	build                   = "build"
+	excludeArtifacts        = "exclude-artifacts"
+	includeDeps             = "include-deps"
+	regexpFlag              = "regexp"
+	retries                 = "retries"
+	retryWaitTime           = "retry-wait-time"
+	dryRun                  = "dry-run"
+	explode                 = "explode"
+	bypassArchiveInspection = "bypass-archive-inspection"
+	includeDirs             = "include-dirs"
+	props                   = "props"
+	targetProps             = "target-props"
+	excludeProps            = "exclude-props"
+	failNoOp                = "fail-no-op"
+	threads                 = "threads"
+	syncDeletes             = "sync-deletes"
+	quiet                   = "quiet"
+	bundle                  = "bundle"
+	publicGpgKey            = "gpg-key"
+	archiveEntries          = "archive-entries"
+	detailedSummary         = "detailed-summary"
+	archive                 = "archive"
+	syncDeletesQuiet        = syncDeletes + "-" + quiet
+	antFlag                 = "ant"
+	fromRt                  = "from-rt"
+	transitive              = "transitive"
+	Status                  = "status"
 
 	// Config flags
 	interactive   = "interactive"
@@ -761,6 +762,10 @@ var flagsMap = map[string]cli.Flag{
 		Name:  explode,
 		Usage: "[Default: false] Set to true to extract an archive after it is downloaded from Artifactory.` `",
 	},
+	bypassArchiveInspection: cli.BoolFlag{
+		Name:  bypassArchiveInspection,
+		Usage: "[Default: false] Set to true to bypass the archive security inspection before it is unarchived. Used with the 'explode' option. ` `",
+	},
 	validateSymlinks: cli.BoolFlag{
 		Name:  validateSymlinks,
 		Usage: "[Default: false] Set to true to perform a checksum validation when downloading symbolic links.` `",
@@ -1543,8 +1548,8 @@ var commandFlags = map[string][]string{
 		url, user, password, accessToken, sshPassphrase, sshKeyPath, serverId, ClientCertPath,
 		ClientCertKeyPath, specFlag, specVars, buildName, buildNumber, module, exclusions, sortBy,
 		sortOrder, limit, offset, downloadRecursive, downloadFlat, build, includeDeps, excludeArtifacts, minSplit, splitCount,
-		retries, retryWaitTime, dryRun, downloadExplode, validateSymlinks, bundle, publicGpgKey, includeDirs, downloadProps, downloadExcludeProps,
-		failNoOp, threads, archiveEntries, downloadSyncDeletes, syncDeletesQuiet, InsecureTls, detailedSummary, project,
+		retries, retryWaitTime, dryRun, downloadExplode, bypassArchiveInspection, validateSymlinks, bundle, publicGpgKey, includeDirs,
+		downloadProps, downloadExcludeProps, failNoOp, threads, archiveEntries, downloadSyncDeletes, syncDeletesQuiet, InsecureTls, detailedSummary, project,
 		skipChecksum,
 	},
 	Move: {

diff --git a/utils/cliutils/utils.go b/utils/cliutils/utils.go
@@ -590,6 +590,7 @@ func OverrideFieldsIfSet(spec *speccore.File, c *cli.Context) {
 	overrideStringIfSet(&spec.Recursive, c, "recursive")
 	overrideStringIfSet(&spec.Flat, c, "flat")
 	overrideStringIfSet(&spec.Explode, c, "explode")
+	overrideStringIfSet(&spec.BypassArchiveInspection, c, "bypass-archive-inspection")
 	overrideStringIfSet(&spec.Regexp, c, "regexp")
 	overrideStringIfSet(&spec.IncludeDirs, c, "include-dirs")
 	overrideStringIfSet(&spec.ValidateSymlinks, c, "validate-symlinks")