actions
/
toolkit
mirror of https://github.com/actions/toolkit
1
0
Fork 0
Code

attempt with comparing index

pull/1666/head
bethanyj28 2024-02-23 11:59:36 -05:00
parent e9005f7727
commit 76489f433b
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
packages/artifact/__tests__/download-artifact.test.ts
View File

@ -13,7 +13,7 @@ import {
streamExtractExternal streamExtractExternal
} from '../src/internal/download/download-artifact' } from '../src/internal/download/download-artifact'
import {getUserAgentString} from '../src/internal/shared/user-agent' import {getUserAgentString} from '../src/internal/shared/user-agent'
import {noopLogs} from './common' //import {noopLogs} from './common'
import * as config from '../src/internal/shared/config' import * as config from '../src/internal/shared/config'
import {ArtifactServiceClientJSON} from '../src/generated' import {ArtifactServiceClientJSON} from '../src/generated'
import * as util from '../src/internal/shared/util' import * as util from '../src/internal/shared/util'
@ -88,7 +88,7 @@ const expectExtractedArchive = async (dir: string): Promise<void> => {
} }
const setup = async (): Promise<void> => { const setup = async (): Promise<void> => {
noopLogs() //noopLogs()
await fs.promises.mkdir(testDir, {recursive: true}) await fs.promises.mkdir(testDir, {recursive: true})
await createTestArchive() await createTestArchive()
@ -180,7 +180,7 @@ describe('download-artifact', () => {
expect(response.downloadPath).toBe(fixtures.workspaceDir) expect(response.downloadPath).toBe(fixtures.workspaceDir)
}) })
it('should not allow path traversal from malicious artifacts', async () => { it.only('should not allow path traversal from malicious artifacts', async () => {
const downloadArtifactMock = github.getOctokit(fixtures.token).rest const downloadArtifactMock = github.getOctokit(fixtures.token).rest
.actions.downloadArtifact as MockedDownloadArtifact .actions.downloadArtifact as MockedDownloadArtifact
downloadArtifactMock.mockResolvedValueOnce({ downloadArtifactMock.mockResolvedValueOnce({

10
packages/artifact/src/internal/download/download-artifact.ts
View File

@ -94,10 +94,12 @@ export async function streamExtractExternal(
}) })
.pipe(unzip.Parse()) .pipe(unzip.Parse())
.on('entry', (entry: unzip.Entry) => { .on('entry', (entry: unzip.Entry) => {
const entryPath = path console.log(`entryPath: ${entry.path}`)
.normalize(entry.path) const fullPath = path.normalize(path.join(directory, entry.path))
.replace(/^(\.\.(\/|\\|$))+/, '') console.log(`fullPath: ${fullPath}`)
const fullPath = path.join(directory, entryPath) if (fullPath.indexOf(directory) != 0) {
reject(new Error(`Invalid file path: ${fullPath}`))
}
core.debug(`Extracting artifact entry: ${fullPath}`) core.debug(`Extracting artifact entry: ${fullPath}`)
if (entry.type === 'Directory') { if (entry.type === 'Directory') {
promises.push(resolveOrCreateDirectory(fullPath).then(() => {})) promises.push(resolveOrCreateDirectory(fullPath).then(() => {}))