Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

Commit

Permalink
Merge pull request #87 from johnarok/fix-82
Browse files Browse the repository at this point in the history
Fixes #82 by processing destination string through filepath.Clean
  • Loading branch information
weingart authored Sep 10, 2018
2 parents 77adc20 + e1c92d5 commit de0d89e
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 1 deletion.
2 changes: 1 addition & 1 deletion archiver.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ func sanitizeExtractPath(filePath string, destination string) error {
// the target path, and make sure it's nested in the intended
// destination, or bail otherwise.
destpath := filepath.Join(destination, filePath)
if !strings.HasPrefix(destpath, destination) {
if !strings.HasPrefix(destpath, filepath.Clean(destination)) {
return fmt.Errorf("%s: illegal file path", filePath)
}
return nil
Expand Down
34 changes: 34 additions & 0 deletions archiver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ func TestArchiver(t *testing.T) {
}
testWriteRead(t, name, ar)
testMakeOpen(t, name, ar)
testMakeOpenWithDestinationEndingInSlash(t, name, ar)
})
}
}
Expand Down Expand Up @@ -83,6 +84,39 @@ func testMakeOpen(t *testing.T, name string, ar Archiver) {
symmetricTest(t, name, dest)
}

// testMakeOpenWithDestinationEndingInSlash is similar to testMakeOpen except that
// it tests the case where destination path has a terminating forward slash especially
// on Windows os.
func testMakeOpenWithDestinationEndingInSlash(t *testing.T, name string, ar Archiver) {
tmp, err := ioutil.TempDir("", "archiver")
if err != nil {
t.Fatalf("[%s] %v", name, err)
}
defer os.RemoveAll(tmp)

// Test creating archive
outfile := filepath.Join(tmp, "test-"+name)
err = ar.Make(outfile, []string{"testdata"})
if err != nil {
t.Fatalf("[%s] making archive: didn't expect an error, but got: %v", name, err)
}

if !ar.Match(outfile) {
t.Fatalf("[%s] identifying format should be 'true', but got 'false'", name)
}

// Test extracting archive with destination that has a slash at the end
dest := filepath.Join(tmp, "extraction_test")
os.Mkdir(dest, 0755)
err = ar.Open(outfile, dest+"/")
if err != nil {
t.Fatalf("[%s] extracting archive [%s -> %s]: didn't expect an error, but got: %v", name, outfile, dest, err)
}

// Check that what was extracted is what was compressed
symmetricTest(t, name, dest)
}

// symmetricTest compares the contents of a destination directory to the contents
// of the test corpus and tests that they are equal.
func symmetricTest(t *testing.T, name, dest string) {
Expand Down

0 comments on commit de0d89e

Please sign in to comment.