Skip to content
This repository has been archived by the owner on Dec 6, 2022. It is now read-only.

Commit

Permalink
Merge pull request #5 from ipfs/fix/dd
Browse files Browse the repository at this point in the history
allow .. in file and directory names
  • Loading branch information
petar authored Aug 6, 2021
2 parents 911562c + 98588cc commit d4d955b
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 4 deletions.
9 changes: 7 additions & 2 deletions extractor.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,9 +158,14 @@ func (te *Extractor) Extract(reader io.Reader) error {
// Checks if the relative path matches or exceeds the root
// We check for matching because the outputPath function strips the original root
rel, err := fp.Rel(rootOutputPath, outputPath)
if err != nil || rel == "." || strings.Contains(rel, "..") {
if err != nil || rel == "." {
return errInvalidRootMultipleRoots
}
for _, e := range strings.Split(fp.ToSlash(rel), "/") {
if e == ".." {
return fmt.Errorf("relative path contains '..'")
}
}

switch header.Typeflag {
case tar.TypeDir:
Expand Down Expand Up @@ -211,7 +216,7 @@ func getRelativePath(rootName, tarPath string) (string, error) {
return tarPath[len(rootName)+1:], nil
}

// outputPath returns the path at which to place the relativeTarPath. Assumes the path is cleaned.
// outputPath returns the directory path at which to place the file relativeTarPath. Assumes relativeTarPath is cleaned.
func (te *Extractor) outputPath(basePlatformPath, relativeTarPath string) (string, error) {
elems := strings.Split(relativeTarPath, "/")

Expand Down
4 changes: 2 additions & 2 deletions extractor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func init() {
}

func TestSingleFile(t *testing.T) {
fileName := "file"
fileName := "file..ext"
fileData := "file data"

testTarExtraction(t, nil, []tarEntry{
Expand All @@ -64,7 +64,7 @@ func TestSingleFile(t *testing.T) {
}

func TestSingleDirectory(t *testing.T) {
dirName := "dir"
dirName := "dir..sfx"

testTarExtraction(t, nil, []tarEntry{
&dirTarEntry{dirName},
Expand Down
3 changes: 3 additions & 0 deletions sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ func validatePlatformPath(platformPath string) error {
}

func validatePathComponent(c string) error {
if c == ".." {
return fmt.Errorf("invalid platform path: path component cannot be '..'")
}
if strings.Contains(c, "\x00") {
return fmt.Errorf("invalid platform path: path components cannot contain null: %q", c)
}
Expand Down
3 changes: 3 additions & 0 deletions sanitize_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ func validatePathComponent(c string) error {
return fmt.Errorf("invalid platform path: path components cannot end with ' ' : %q", c)
}

if c == ".." {
return fmt.Errorf("invalid platform path: path component cannot be '..'")
}
// error on reserved characters
if strings.ContainsAny(c, reservedCharsStr) {
return fmt.Errorf("invalid platform path: path components cannot contain any of %s : %q", reservedCharsStr, c)
Expand Down

0 comments on commit d4d955b

Please sign in to comment.