Skip to content
This repository has been archived by the owner on Dec 6, 2022. It is now read-only.

allow .. in file and directory names #5

Merged
merged 4 commits into from
Aug 6, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions extractor.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,9 +158,14 @@ func (te *Extractor) Extract(reader io.Reader) error {
// Checks if the relative path matches or exceeds the root
// We check for matching because the outputPath function strips the original root
rel, err := fp.Rel(rootOutputPath, outputPath)
if err != nil || rel == "." || strings.Contains(rel, "..") {
if err != nil || rel == "." {
petar marked this conversation as resolved.
Show resolved Hide resolved
return errInvalidRootMultipleRoots
}
for _, e := range strings.Split(fp.ToSlash(rel), "/") {
if e == ".." {
return fmt.Errorf("relative path contains '..'")
}
}

switch header.Typeflag {
case tar.TypeDir:
Expand Down Expand Up @@ -211,7 +216,7 @@ func getRelativePath(rootName, tarPath string) (string, error) {
return tarPath[len(rootName)+1:], nil
}

// outputPath returns the path at which to place the relativeTarPath. Assumes the path is cleaned.
// outputPath returns the directory path at which to place the file relativeTarPath. Assumes relativeTarPath is cleaned.
func (te *Extractor) outputPath(basePlatformPath, relativeTarPath string) (string, error) {
elems := strings.Split(relativeTarPath, "/")

Expand Down
4 changes: 2 additions & 2 deletions extractor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func init() {
}

func TestSingleFile(t *testing.T) {
fileName := "file"
fileName := "file..ext"
fileData := "file data"

testTarExtraction(t, nil, []tarEntry{
Expand All @@ -64,7 +64,7 @@ func TestSingleFile(t *testing.T) {
}

func TestSingleDirectory(t *testing.T) {
dirName := "dir"
dirName := "dir..sfx"

testTarExtraction(t, nil, []tarEntry{
&dirTarEntry{dirName},
Expand Down
3 changes: 3 additions & 0 deletions sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ func validatePlatformPath(platformPath string) error {
}

func validatePathComponent(c string) error {
if c == ".." {
return fmt.Errorf("invalid platform path: path component cannot be '..'")
}
if strings.Contains(c, "\x00") {
return fmt.Errorf("invalid platform path: path components cannot contain null: %q", c)
}
Expand Down
3 changes: 3 additions & 0 deletions sanitize_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ func validatePathComponent(c string) error {
return fmt.Errorf("invalid platform path: path components cannot end with ' ' : %q", c)
}

if c == ".." {
return fmt.Errorf("invalid platform path: path component cannot be '..'")
}
// error on reserved characters
if strings.ContainsAny(c, reservedCharsStr) {
return fmt.Errorf("invalid platform path: path components cannot contain any of %s : %q", reservedCharsStr, c)
Expand Down