CoCalc -- zipslip_unix

GitHub Repository: projectdiscovery/nuclei
Path: blob/dev/pkg/installer/zipslip_unix_test.go
²⁰⁷⁰ views
1
package installer
2

3
import (
4
	"io/fs"
5
	"os"
6
	"path/filepath"
7
	"runtime"
8
	"testing"
9
	"time"
10

11
	"github.com/stretchr/testify/require"
12
)
13

14
var _ fs.FileInfo = &tempFileInfo{}
15

16
type tempFileInfo struct {
17
	name string
18
}
19

20
func (t *tempFileInfo) Name() string {
21
	return t.name
22
}
23

24
func (t *tempFileInfo) ModTime() time.Time {
25
	return time.Now()
26
}
27

28
func (t *tempFileInfo) Mode() fs.FileMode {
29
	return fs.ModePerm
30
}
31

32
func (t tempFileInfo) IsDir() bool {
33
	return false
34
}
35

36
func (t *tempFileInfo) Size() int64 {
37
	return 100
38
}
39

40
func (t *tempFileInfo) Sys() any {
41
	return nil
42
}
43

44
func TestZipSlip(t *testing.T) {
45
	if runtime.GOOS == "windows" {
46
		t.Skip("Skipping Unix Zip LFI Check")
47
	}
48

49
	configuredTemplateDirectory := filepath.Join(os.TempDir(), "templates")
50
	defer func() {
51
		_ = os.RemoveAll(configuredTemplateDirectory)
52
	}()
53

54
	t.Run("negative scenarios", func(t *testing.T) {
55
		filePathsFromZip := []string{
56
			"./../nuclei-templates/../cve/test.yaml",
57
			"nuclei-templates/../cve/test.yaml",
58
			"nuclei-templates/././../cve/test.yaml",
59
			"nuclei-templates/.././../cve/test.yaml",
60
			"nuclei-templates/.././../cve/../test.yaml",
61
		}
62
		tm := TemplateManager{}
63

64
		for _, filePathFromZip := range filePathsFromZip {
65
			var tmp fs.FileInfo = &tempFileInfo{name: filePathFromZip}
66
			writePath := tm.getAbsoluteFilePath(configuredTemplateDirectory, filePathFromZip, tmp)
67
			require.Equal(t, "", writePath, filePathFromZip)
68
		}
69
	})
70
}
71

72
Product

Resources

Company
