Skip to content

Commit 79d9081

Browse files
nywilkenpicatz
andauthored
Port bomb.zip test updates from v1 (#425)
* Merge pull request #424 from hashicorp/fix-av-reports Remove `bomb.zip` test file to stop anti-virus noise * Update call to WriteFile --------- Co-authored-by: Kent 'picat' Gruber <[email protected]>
1 parent d5cdddb commit 79d9081

File tree

2 files changed

+62
-14
lines changed

2 files changed

+62
-14
lines changed

decompress_zip_test.go

+62-14
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
package getter
22

33
import (
4+
"archive/zip"
5+
"bytes"
6+
"io/ioutil"
7+
"log"
48
"os"
59
"path/filepath"
610
"runtime"
@@ -132,23 +136,67 @@ func TestDecompressZipPermissions(t *testing.T) {
132136
}
133137

134138
func TestDecompressZipBomb(t *testing.T) {
135-
// If the zip decompression bomb protection fails, this can fill up disk space on the entire
136-
// computer.
137-
if os.Getenv("GO_GETTER_TEST_ZIP_BOMB") != "true" {
138-
t.Skip("skipping potentially dangerous test without GO_GETTER_TEST_ZIP_BOMB=true")
139+
buf := new(bytes.Buffer)
140+
141+
// Create a zip file inline, written to the buffer.
142+
{
143+
w := zip.NewWriter(buf)
144+
145+
var files = []struct {
146+
Name, Body string
147+
}{
148+
{"readme.txt", "This archive contains some text files."},
149+
{"gopher.txt", "Gopher names:\nGeorge\nGeoffrey\nGonzo"},
150+
{"todo.txt", "Get animal handling licence.\nWrite more examples."},
151+
}
152+
for _, file := range files {
153+
f, err := w.Create(file.Name)
154+
if err != nil {
155+
t.Fatal(err)
156+
}
157+
_, err = f.Write([]byte(file.Body))
158+
if err != nil {
159+
t.Fatal(err)
160+
}
161+
}
162+
163+
err := w.Close()
164+
if err != nil {
165+
log.Fatal(err)
166+
}
139167
}
140168

141-
// https://www.bamsoftware.com/hacks/zipbomb/zblg.zip
142-
srcPath := filepath.Join("./testdata", "decompress-zip", "bomb.zip")
169+
td, err := ioutil.TempDir("", "go-getter-zip")
170+
if err != nil {
171+
t.Fatalf("err: %s", err)
172+
}
143173

144-
d := new(ZipDecompressor)
145-
d.FileSizeLimit = 512
174+
zipFilePath := filepath.Join(td, "input.zip")
146175

147-
err := d.Decompress(t.TempDir(), srcPath, true, 0644)
148-
if err == nil {
149-
t.FailNow()
150-
}
151-
if !strings.Contains(err.Error(), "zip archive larger than limit: 512") {
152-
t.Fatalf("unexpected error: %q", err.Error())
176+
err = ioutil.WriteFile(zipFilePath, buf.Bytes(), 0666)
177+
if err != nil {
178+
t.Fatalf("err: %s", err)
153179
}
180+
181+
t.Run("error with limit", func(t *testing.T) {
182+
d := new(ZipDecompressor)
183+
d.FileSizeLimit = 7 // bytes
184+
185+
err = d.Decompress(t.TempDir(), zipFilePath, true, 0644)
186+
if err == nil {
187+
t.FailNow()
188+
}
189+
if !strings.Contains(err.Error(), "zip archive larger than limit: 7") {
190+
t.Fatalf("unexpected error: %q", err.Error())
191+
}
192+
})
193+
194+
t.Run("no error without limit", func(t *testing.T) {
195+
d := new(ZipDecompressor)
196+
197+
err = d.Decompress(t.TempDir(), zipFilePath, true, 0644)
198+
if err != nil {
199+
t.Fatalf("unexpected error: %v", err)
200+
}
201+
})
154202
}

testdata/decompress-zip/bomb.zip

-9.44 MB
Binary file not shown.

0 commit comments

Comments
 (0)