search

JuliaIO / Tar.jl

TAR files: create, list, extract them in pure Julia
MIT License
80 stars 19 forks source link

Test.extract: test that extracting outside of dest directory is an error #145

Closed StefanKarpinski closed 1 year ago

StefanKarpinski commented 1 year ago

We have always prevented this for security reasons, but although we have tested that the fancy attacks using symlinks are prevented, we haven't been testing that the basic attack of extracting a relative or absolute path outside of the tarball is prevented. This adds tests for that. It also factors the common logic for these attack tests into a helper function and tests that Tar.rewrite errors in the same way.

codecov[bot] commented 1 year ago

Codecov Report

Base: 97.30% // Head: 97.31% // Increases project coverage by +0.01% :tada:

Coverage data is based on head (63c5610) compared to base (1de4f92). Patch coverage: 100.00% of modified lines in pull request are covered.

:exclamation: Current head 63c5610 differs from pull request most recent head 564bdd2. Consider uploading reports for the commit 564bdd2 to get more accurate results

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #145 +/- ## ========================================== + Coverage 97.30% 97.31% +0.01% ========================================== Files 4 4 Lines 779 783 +4 ========================================== + Hits 758 762 +4 Misses 21 21 ``` | [Impacted Files](https://codecov.io/gh/JuliaIO/Tar.jl/pull/145?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=JuliaIO) | Coverage Δ | | |---|---|---| | [src/extract.jl](https://codecov.io/gh/JuliaIO/Tar.jl/pull/145/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=JuliaIO#diff-c3JjL2V4dHJhY3Quamw=) | `98.14% <100.00%> (+0.01%)` | :arrow_up: | Help us with your feedback. Take ten seconds to tell us [how you rate us](https://about.codecov.io/nps?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=JuliaIO). Have a feature suggestion? [Share it here.](https://app.codecov.io/gh/feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=JuliaIO)

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.