35 lines
650 B
Go
35 lines
650 B
Go
package utils
|
|
|
|
import (
|
|
"archive/zip"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
)
|
|
|
|
func TestExtractZip_PathTraversal(t *testing.T) {
|
|
dir := t.TempDir()
|
|
zipPath := filepath.Join(dir, "a.zip")
|
|
dest := filepath.Join(dir, "out")
|
|
|
|
f, err := os.Create(zipPath)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
zw := zip.NewWriter(f)
|
|
w, err := zw.Create("../evil.png")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
_, _ = w.Write([]byte("x"))
|
|
_ = zw.Close()
|
|
_ = f.Close()
|
|
|
|
allowed := map[string]struct{}{".png": {}}
|
|
_, err = ExtractZip(zipPath, dest, allowed, ZipLimits{MaxFiles: 10, MaxTotalBytes: 1024, MaxFileBytes: 1024})
|
|
if err == nil {
|
|
t.Fatalf("expected error")
|
|
}
|
|
}
|
|
|