Open galaxystar opened 8 years ago
I've narrowed this issue down to ExtractPackage in NuGetV2.fs, on line 351 where Paket uses ZipFile.ExtractToDirectory. We could use ZipArchive instead (which is used elsewhere in the project). If the Force flag is set then use code similar to what is provided here: http://stackoverflow.com/questions/14795197/forcefully-replacing-existing-files-during-extracting-file-using-system-io-compr
do you have a repro sample for me?
A simple repro should be as follows:
Create a package that contains 1 dependency packet. The dependent package should have at least one file, and map its content to be deployed outside of the package folder. Use paket install
to install the package. Then use paket install --force
to try and install the package again, observe the following message:
Paket failed with:
Error during extraction of /<path>/packages/<package group>/PackageName/PackageName.1.0.8.nupkg.
Message: Could not create file "/<path outside of packages foder>/<some file>". File already exists.
Package A depends on Package B
Package A paket.dependency file:
...
nuget PackageB
...
Package B paket.template file:
...
files
bin/ ==> ../../<some_path_outside_packages_folder>/
...
and map its content to be deployed outside of the package folder
Is this something that nuget supports? That sounds pretty dangerous to me
Paket supports it, and I rely on it. It's a bit of a round about way to get what I want. I'm using it to deploy a bootstrapper script into a folder that can then later deploy (copy) the package groups where I want them.
My ideal solution would be to be able to Install packages and then be able to Deploy package groups where I want them, in 2 separate steps. It would be nice to be able to map the group's deploy location in the template file. At which point I could deploy to paths outside of the packages folder.
p.s. I know this is not exactly how Paket was intended to be used, but my toolset (Unity3d) does not support the "proper way" to use Paket. And no, I don't want to use Paket.Unity3D.
Paket supports it, and I rely on it.
It's more an accidental feature. I don't think it's "supported"
We fixed a bug (https://github.com/fsprojects/Paket/issues/1472) a few weeks back with globbing when packaging which allowed me to continue to use it . Sounds "supported" :-).
But the point of the matter, this repro case may not be "supported", but the request is still sound. When using the "--force" flag, it should override any existing files, which it is not doing.
just tried to reproduce. see 65bb4a8
the message says: "Can't extract since it would create a file outside of target folder"
so what am I doing differently?
Perhaps Paket 3 handles it differently. My test case is using Paket 2.51.4.0 (sorry for not mentioning it sooner).
nope the test is against paket 2
The screenshot you posted says "Paket Version 3.0.0.0"
Yes, but the test case is showing same error in both branches. On Mar 9, 2016 20:25, "galaxystar" notifications@github.com wrote:
The screenshot you posted says "Paket Version 3.0.0.0"
— Reply to this email directly or view it on GitHub https://github.com/fsprojects/Paket/issues/1504#issuecomment-194464691.
I'm not sure, I just installed Paket 2.51.11.0 and I see an identical error to what I posed above.
Paket failed with:
Error during extraction of /Users/galaxystar/Git/Fyber/packages/bootstrap/PackageManagerBootStrap/PackageManagerBootStrap.1.0.7.nupkg.
Message: Could not create file "/Users/galaxystar/Git/Fyber/Assets/Plugins/Packages/bootstrap/PackageManagerBootStrap/Editor/PackageManager.cs". File already exists.
In rare cases a firewall might have blocked the download. Please look into the file and see if it contains text with further information.
Can you please try to look at my sample? Can you reproduce with that sample? It's basically what you described above, but maybe there is a significant difference. On Mar 9, 2016 20:30, "galaxystar" notifications@github.com wrote:
I'm not sure, I installed Paket 2.51.4.0 and I see an identical error to what I posed above.
— Reply to this email directly or view it on GitHub https://github.com/fsprojects/Paket/issues/1504#issuecomment-194468071.
The names paket.A.templatetemplate
and paket.A.templatetemplate
, which I assume are different for the integration testing system.
Paket.lock file contains packages C and D (I'm not sure where they came from). And the Paket.lock seems to have gotten the dependency order mixed up. It looks like the order of dependencies are a little wrong. the paket.dependencies for Package B, says it's dependent on Package A, and in the Package A Template file it says it has a dependency for Package B. This appears to be cyclic.
Beyond that, the files section in the paket.template looks fine. However with my use case, I did a directory not just a single file. try to replace the files section with this:
files
/files/ ==> ../../temp/
Where the test.txt file is in the /files/ directory.
paket.A.templatetemplate will be replaced to paket.A.template during prepare phase in the untegration test. This is just to shield against paket commands from outter levels.
You are right. the lock file ist wrong, but we call paket update so it's not important. I fixed that anyways.
I also changed it to folders.
The following zip conatins the situation after packaging. What do you get if you run paket update in that folder?
Hello, Here's my results from the test
$ paket install --force
Paket version 2.51.11.0
Resolving packages for group Main:
- Paket.Test.A 1.0.0
- Paket.Test.B 1.0.0
Locked version resolution written to /Users/galaxystar/Downloads/repro/paket.lock
0 seconds - ready.
Now running it a second time...
$ paket install --force
Paket version 2.51.11.0
Skipping resolver for group Main since it is already up-to-date
/Users/galaxystar/Downloads/repro/paket.lock is already up-to-date
Paket failed with:
Error during extraction of /Users/galaxystar/Downloads/repro/packages/Paket.Test.B/Paket.Test.B.1.0.0.nupkg.
Message: Could not create file "/Users/galaxystar/Downloads/repro/outerFolder/test.txt". File already exists.
Mhm I need to take a look if mono is doing this differently On Mar 10, 2016 19:53, "galaxystar" notifications@github.com wrote:
Hello, Here's my results from the test
$ paket install --force
Paket version 2.51.11.0 Resolving packages for group Main:
- Paket.Test.A 1.0.0
- Paket.Test.B 1.0.0 Locked version resolution written to /Users/galaxystar/Downloads/repro/paket.lock 0 seconds - ready.
Now running it a second time... $ paket install --force
Paket version 2.51.11.0 Skipping resolver for group Main since it is already up-to-date /Users/galaxystar/Downloads/repro/paket.lock is already up-to-date Paket failed with: Error during extraction of /Users/galaxystar/Downloads/repro/packages/Paket.Test.B/Paket.Test.B.1.0.0.nupkg. Message: Could not create file "/Users/galaxystar/Downloads/repro/outerFolder/test.txt". File already exists.
— Reply to this email directly or view it on GitHub https://github.com/fsprojects/Paket/issues/1504#issuecomment-194999599.
Any updates ? I am just having this issue when I run paket convert-from-nuget.
This sounds like depending on https://github.com/snyk/zip-slip-vulnerability
You really should reconsider your workflow
This issue is somewhat related to: https://github.com/fsprojects/Paket/issues/1472
When Paket installs to a path outside of the ./packages directory, I receive the error below, when multiple packages reference the same package (and all of which trying to install to the path outside of the ./packages folder)
I've tried using
paket install -f
andpaket install --hard
andpaket instal -f --hard
but they all fail when trying to extract the file.Regardless of the use case that caused this It would be nice if the force flag would overwrite files which already exist, as I would expect FORCE to do.
Stack Trace: