Examples are missing receive of directories

psanford / wormhole-william

End-to-end encrypted file transfer. A magic wormhole CLI and API in Go (golang).

MIT License

1.08k stars 55 forks source link

Examples are missing receive of directories #26

Closed Jacalz closed 3 years ago

Jacalz commented 3 years ago

The examples directory has examples for everything except for receiving directories. Adding that example would make the examples directory complete for anyone wanting to see how the API can be used.

psanford commented 3 years ago

True. Running recv-file example for a directory should work, it just doesn't extract the zip file for you.

Until we have an example you can see the logic that the wormhole-william cli uses here: https://github.com/psanford/wormhole-william/blob/master/cmd/recv.go#L130

Jacalz commented 3 years ago

I realized that this could quite easily be implemented using mholt/archiver and thus dropping a lot of complicated code for unpacking the zip. It was what I did in wormhole-gui. See permalink for more context: https://github.com/Jacalz/wormhole-gui/blob/021b0637aecf47c496144b418278621ea6f1e359/internal/bridge/receiver.go#L58

psanford commented 3 years ago

You should be a little bit careful extracting a zip without verifying it doesn't have any dangerous/malicious paths in it. Specifically zip files can have relative paths such as ../../etc/passwd that could overwrite existing files.

It looks like mholt/archiver does not attempt to protect against these types of malicious files.

Both the python Magic Wormhole and wormhole-william's cli code attempt to protect against these types of files by erroring out if detected.

Jacalz commented 3 years ago

Good point. I had not realized that it didn't do that. Could the zip extractor used withing the cli perhaps be added as a function within the wormhole package? Sending a folder and getting back a zip file might seem a bit confusing and thus I think having a safe and easy to use zip extractor might make a lot of sense.

psanford commented 3 years ago

That might be worth revisiting with the new io/fs changes coming to the std library in 1.16.

The main reason it doesn't work that way today is for applications that don't want to extract the files to disk.

Jacalz commented 3 years ago

That is a good point. Do you want me to open a new issue for that?

Jacalz commented 3 years ago

Looking at this closer, it actually looks like it does try to prevent malicious zip files. Looks like the README just hasn’t been updated. See https://github.com/mholt/archiver/commit/8217ed3a206c0473b4ec1aff51375b398838073a as an example.

sergeevabc commented 3 years ago

Trying to download 1.0.5… and it is missing as well.

$ wget https://github.com/psanford/wormhole-william/releases/download/refs%2Ftags%2Fv1.0.5/wormhole-william-windows-386.exe
Resolving github.com (github.com)... 140.82.121.3                    
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 404 Not Found

psanford commented 3 years ago

@sergeevabc can you open a new issue for that?

sergeevabc commented 3 years ago

@psanford, it seems to be fixed by now, I downloaded and tried the app.

A couple of points to consider thinking about: a) receive/recv is a hard verb to spell right (recieve, recive, etc), get is easier, lack of it like croc does is even better. b) interface is inconsistent about units of measurement: kB and KiB

Receiving file (14.0 kB) into: Von Franz Dream Analysis v. 0.3.txt  
ok? (y/N):y                                                         
13.66 KiB / 13.66 KiB [---------------------------------------------

psanford commented 3 years ago

@sergeevabc I appreciate your feedback, but please open a new issue as your comments are not relevant to this current issue.