actions
/
toolkit
mirror of https://github.com/actions/toolkit
1
0
Fork 0
Code

attempt with comparing index

pull/1666/head
bethanyj28 2024-02-23 11:59:36 -05:00
parent e9005f7727
commit 76489f433b
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
packages/artifact/__tests__/download-artifact.test.ts
View File

@ -13,7 +13,7 @@ import {
streamExtractExternal
} from '../src/internal/download/download-artifact'
import {getUserAgentString} from '../src/internal/shared/user-agent'
import {noopLogs} from './common'
//import {noopLogs} from './common'
import * as config from '../src/internal/shared/config'
import {ArtifactServiceClientJSON} from '../src/generated'
import * as util from '../src/internal/shared/util'
@ -88,7 +88,7 @@ const expectExtractedArchive = async (dir: string): Promise<void> => {
}
const setup = async (): Promise<void> => {
noopLogs()
//noopLogs()
await fs.promises.mkdir(testDir, {recursive: true})
await createTestArchive()
@ -180,7 +180,7 @@ describe('download-artifact', () => {
expect(response.downloadPath).toBe(fixtures.workspaceDir)
})
it('should not allow path traversal from malicious artifacts', async () => {
it.only('should not allow path traversal from malicious artifacts', async () => {
const downloadArtifactMock = github.getOctokit(fixtures.token).rest
.actions.downloadArtifact as MockedDownloadArtifact
downloadArtifactMock.mockResolvedValueOnce({

10
packages/artifact/src/internal/download/download-artifact.ts
View File

@ -94,10 +94,12 @@ export async function streamExtractExternal(
})
.pipe(unzip.Parse())
.on('entry', (entry: unzip.Entry) => {
const entryPath = path
.normalize(entry.path)
.replace(/^(\.\.(\/|\\|$))+/, '')
const fullPath = path.join(directory, entryPath)
console.log(`entryPath: ${entry.path}`)
const fullPath = path.normalize(path.join(directory, entry.path))
console.log(`fullPath: ${fullPath}`)
if (fullPath.indexOf(directory) != 0) {
reject(new Error(`Invalid file path: ${fullPath}`))
}
core.debug(`Extracting artifact entry: ${fullPath}`)
if (entry.type === 'Directory') {
promises.push(resolveOrCreateDirectory(fullPath).then(() => {}))