search

thunderstore-io / Thunderstore

Thunderstore is a mod database and API for downloading mods. Thunderstore Discord: https://discord.thunderstore.io/
https://thunderstore.io/
GNU Affero General Public License v3.0
128 stars 27 forks source link

Bolster zip file validation #989

Closed MythicManiac closed 8 months ago

MythicManiac commented 8 months ago

Include validation that ensures the zip file starts at offset 0 and that it includes no relative paths in the files.

In theory the zip files might still contain bogus data in the middle, but this is fairly unlikely to happen in practice and shouldn't impact the behavior of other applications.

codecov[bot] commented 8 months ago

Codecov Report

Attention: 4 lines in your changes are missing coverage. Please review.

Comparison is base (03da139) 93.04% compared to head (88e2518) 93.01%.

Files Patch % Lines
django/thunderstore/repository/package_upload.py 20.00% 2 Missing and 2 partials :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #989 +/- ## ========================================== - Coverage 93.04% 93.01% -0.04% ========================================== Files 296 297 +1 Lines 8660 8677 +17 Branches 770 776 +6 ========================================== + Hits 8058 8071 +13 - Misses 498 500 +2 - Partials 104 106 +2 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

MythicManiac commented 8 months ago

That has to do with naming as the function names sort of imply they're performing a check of some kind, and it's intuitive for that check to return true if it passes IMO. Couldn't think of a non-verbose way to invert the naming so this is what we have this time