search

mholt / archiver

Easily create & extract archives, and compress & decompress files of various formats
https://pkg.go.dev/github.com/mholt/archiver/v4
MIT License
4.44k stars 391 forks source link

craft zip file for symlink testing #247

Closed coolaj86 closed 4 years ago

coolaj86 commented 4 years ago

We need a special zip file that cannot be created with normal commandline tools. It requires crafting with an API. This should be possible with archive/zip#Writer, for example.

We want a double entry of a file - the first being a symlink such that the second will be placed in an arbitrary location:

./goodfile.txt  "hello world"         (file)
./bad/file.txt  => ../../badfile.txt  (symlink)
./bad/file.txt  "Mwa-ha-ha"           (file)
./morefile.txt  "hello world"         (file)

This should go in testdata/testarchives/evilarchives/ as double-evil.zip and double-evil.tar (if it is allowed).

See also https://github.com/mholt/archiver/issues/242#issuecomment-703086020

kross9924 commented 4 years ago

can I work on this?

coolaj86 commented 4 years ago

@kross9924 Do it. Assigned!

kross9924 commented 4 years ago

@coolaj86 can you please elaborate on double-evil.zip file structure.

coolaj86 commented 4 years ago

@kross9924 Can you ask a more specific question? What about the file structure with 4 files as described above is unclear?

kross9924 commented 4 years ago

Is this structure correct?

double-evil.zip 1.badfile.txt 2.dir 2.1 subdir 2.1.1 goodfile.txt 2.1.2 morefile.txt 2.1.3 bad 2.1.3.1 file.txt

sorry for bad indentation

coolaj86 commented 4 years ago

File Structure in zip / tar

The point is that you can't actually create such a malicious file structure on disk:

lsd --tree .
./
├── bad/
│  └── file.txt
├── goodfile.txt
└── morefile.txt

bad/file.txt can only be either a file, or a link. It can't be both. However, zip and tar file indexes you can manipulate.

The directory structure in the zip file table should be exactly this:

filepath type contents link
./goodfile.txt file "hello world" N/A
./bad/file.txt symlink N/A ../../badfile.txt
./bad/file.txt file "Mwa-ha-ha" N/A
./morefile.txt file "hello world" N/A

When on Github, use Markdown

sorry for bad indentation

Use code fences and tables:

```bash
lsd --tree .
```

```txt
./
├── bad/
│  └── file.txt
├── goodfile.txt
└── morefile.txt
```

| filepath         | type    | contents        | link                |
| ---------------- | ------- | --------------: | ------------------- |
| `./goodfile.txt` | file    | `"hello world"` | N/A                 |
| `./bad/file.txt` | symlink | N/A             | `../../badfile.txt` |
| `./bad/file.txt` | file    | `"Mwa-ha-ha"`   | N/A                 |
| `./morefile.txt` | file    | `"hello world"` | N/A                 |
coolaj86 commented 4 years ago

@kross9924 Are you still working on this?

kross9924 commented 4 years ago

Yes I am working

kross9924 commented 4 years ago

Opening a symlink file inside program is dereferencing it, so how can I add it in zip file? @coolaj86 Please help

coolaj86 commented 4 years ago

Don’t try to use real files.

Use the zip and tar writer API with byte strings and header objects.

That said, lstat does a link stat without following the link.

kross9924 commented 4 years ago

I am unable to figure out even after reading documentation several time.

How can I insert symlink into zip/tar file using writer API ?

@coolaj86 Please help.

coolaj86 commented 4 years ago

Check out the golang zip test: https://golang.org/src/archive/zip/writer_test.go

Search "symlink" on that page.

symlink is a file mode, just like file and directory.

kross9924 commented 4 years ago

In tar file there is double entry of bad/file.txt I guess that's fine. created a pull request Thank you.