-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(appengine): Checks destination directory before unpacking file. (#…
…5443) * fix(appengine): Checks destination directory before unpacking file. * fix(appengine): Removes reference to FileUtils * fix(appengine): Uses crafted `tar` file to trigger vulnerability on tests and check it throws an exception preventing further damage. * fix(appengine): Removes zip file. * fix(appengine): Adds happy path test. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
- Loading branch information
1 parent
2a9810f
commit 61d6b30
Showing
4 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
...rc/test/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtilsTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
package com.netflix.spinnaker.clouddriver.appengine.artifacts; | ||
|
||
import static org.junit.jupiter.api.Assertions.*; | ||
|
||
import java.io.File; | ||
import java.io.FileInputStream; | ||
import java.io.IOException; | ||
import org.junit.jupiter.api.Test; | ||
|
||
class ArtifactUtilsTest { | ||
|
||
@Test | ||
void testUntarStreamToPathWithEntryOutsideDestDirThrowsException() throws IOException { | ||
|
||
Exception ex = null; | ||
String s = "target/zip-unarchiver-slip-tests"; | ||
File testZip = new File(new File("").getAbsolutePath(), "src/test/zip-slip/zip-slip.tar"); | ||
File outputDirectory = new File(new File("test-tar").getAbsolutePath(), s); | ||
|
||
outputDirectory.delete(); | ||
|
||
try { | ||
ArtifactUtils.untarStreamToPath(new FileInputStream(testZip), outputDirectory.getPath()); | ||
} catch (Exception e) { | ||
ex = e; | ||
} | ||
|
||
assertNotNull(ex); | ||
assertTrue(ex.getMessage().startsWith("Entry is outside of the target directory")); | ||
} | ||
|
||
@Test | ||
void testUntarStreamDirDoesNotThrowsException() throws IOException { | ||
|
||
Exception ex = null; | ||
String s = "target/zip-unarchiver-slip-tests"; | ||
File testZip = new File(new File("").getAbsolutePath(), "src/test/zip-slip/normal-tar.tar"); | ||
File outputDirectory = new File(new File("test-tar").getAbsolutePath(), s); | ||
|
||
outputDirectory.delete(); | ||
|
||
try { | ||
ArtifactUtils.untarStreamToPath(new FileInputStream(testZip), outputDirectory.getPath()); | ||
} catch (Exception e) { | ||
ex = e; | ||
} | ||
|
||
assertNull(ex); | ||
} | ||
} |
Binary file not shown.
Binary file not shown.