-
Notifications
You must be signed in to change notification settings - Fork 67
Expand file tree
/
Copy pathzip.go
More file actions
131 lines (110 loc) · 3.1 KB
/
zip.go
File metadata and controls
131 lines (110 loc) · 3.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
/*
*
* Copyright 2024 tofuutils authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package zip
import (
"archive/zip"
"bytes"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"github.com/tofuutils/tenv/v4/pkg/fileperm"
)
// ensure the directory exists with a MkdirAll call.
func UnzipToDir(dataZip []byte, dirPath string, filter func(string) bool) error {
err := os.MkdirAll(dirPath, fileperm.RWE)
if err != nil {
return err
}
dataReader := bytes.NewReader(dataZip)
zipReader, err := zip.NewReader(dataReader, int64(len(dataZip)))
if err != nil {
return err
}
// First pass: create all directories
for _, file := range zipReader.File {
destPath, err := SanitizeArchivePath(dirPath, file.Name)
if err != nil {
return err
}
if destPath[len(destPath)-1] == '/' {
// trailing slash indicates a directory
if err := os.MkdirAll(destPath, fileperm.RWE); err != nil {
return err
}
} else {
// Create parent directory for files
if err := os.MkdirAll(filepath.Dir(destPath), fileperm.RWE); err != nil {
return err
}
}
}
// Second pass: extract files
for _, file := range zipReader.File {
if err = copyZipFileToDir(file, dirPath, filter); err != nil {
return err
}
}
return nil
}
// a separate function allows deferred Close to execute earlier.
func copyZipFileToDir(zipFile *zip.File, dirPath string, filter func(string) bool) error {
destPath, err := SanitizeArchivePath(dirPath, zipFile.Name)
if err != nil {
return err
}
if destPath[len(destPath)-1] == '/' {
// Directory already created in first pass
return nil
}
reader, err := zipFile.Open()
if err != nil {
return err
}
defer reader.Close()
data, err := io.ReadAll(reader)
if err != nil {
return err
}
if !filter(destPath) {
return nil
}
return os.WriteFile(destPath, data, zipFile.Mode())
}
// SanitizeArchivePath sanitizes archive file pathing from "G305" (file traversal).
func SanitizeArchivePath(dirPath string, fileName string) (string, error) {
// Handle empty filename
if fileName == "" {
return dirPath, nil
}
// Check for absolute paths
if filepath.IsAbs(fileName) {
return "", fmt.Errorf("content filepath is tainted: %s", fileName)
}
// Clean the paths to handle any path traversal attempts
cleanDirPath := filepath.Clean(dirPath)
cleanFileName := filepath.Clean(fileName)
// Join the paths
destPath := filepath.Join(cleanDirPath, cleanFileName)
// Check if the resulting path is still within the target directory
if !strings.HasPrefix(destPath, cleanDirPath) {
return "", fmt.Errorf("content filepath is tainted: %s", fileName)
}
return destPath, nil
}