public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Fix tests

pull/12001/head
Jordi Boggiano 2024-05-29 22:08:42 +02:00
parent de5f7e3241
commit dd8af946fd
No known key found for this signature in database
GPG Key ID: 7BBD42C429EC80BC
2 changed files with 21 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/Composer/Downloader/ZipDownloader.php
View File

@ -213,26 +213,26 @@ class ZipDownloader extends ArchiveDownloader
$retval = $zipArchive->open($file); $retval = $zipArchive->open($file);
} }
$totalSize = 0; if (true === $retval) {
$archiveSize = filesize($file); $totalSize = 0;
$totalFiles = $zipArchive->count(); $archiveSize = filesize($file);
if ($totalFiles > 0) { $totalFiles = $zipArchive->count();
for ($i = 0; $i < min($totalFiles, 5); $i++) { if ($totalFiles > 0) {
$stat = $zipArchive->statIndex(random_int(0, $totalFiles - 1)); for ($i = 0; $i < min($totalFiles, 5); $i++) {
if ($stat === false) { $stat = $zipArchive->statIndex(random_int(0, $totalFiles - 1));
continue; if ($stat === false) {
continue;
}
$totalSize += $stat['size'];
if ($stat['size'] > $stat['comp_size'] * 200) {
throw new \RuntimeException('Invalid zip file with compression ratio >99% (possible zip bomb)');
}
} }
$totalSize += $stat['size']; if ($archiveSize !== false && $totalSize > $archiveSize * 100 && $totalSize > 50*1024*1024) {
if ($stat['size'] > $stat['comp_size'] * 200) {
throw new \RuntimeException('Invalid zip file with compression ratio >99% (possible zip bomb)'); throw new \RuntimeException('Invalid zip file with compression ratio >99% (possible zip bomb)');
} }
} }
if ($archiveSize !== false && $totalSize > $archiveSize * 100 && $totalSize > 50*1024*1024) {
throw new \RuntimeException('Invalid zip file with compression ratio >99% (possible zip bomb)');
}
}
if (true === $retval) {
$extractResult = $zipArchive->extractTo($path); $extractResult = $zipArchive->extractTo($path);
if (true === $extractResult) { if (true === $extractResult) {

6
tests/Composer/Test/Downloader/ZipDownloaderTest.php
View File

@ -167,6 +167,9 @@ class ZipDownloaderTest extends TestCase
$zipArchive->expects($this->once()) $zipArchive->expects($this->once())
->method('extractTo') ->method('extractTo')
->will($this->returnValue(true)); ->will($this->returnValue(true));
$zipArchive->expects($this->once())
->method('count')
->will($this->returnValue(0));
$this->setPrivateProperty('zipArchiveObject', $zipArchive, $downloader); $this->setPrivateProperty('zipArchiveObject', $zipArchive, $downloader);
$promise = $downloader->extract($this->package, $this->filename, 'vendor/dir'); $promise = $downloader->extract($this->package, $this->filename, 'vendor/dir');
@ -261,6 +264,9 @@ class ZipDownloaderTest extends TestCase
$zipArchive->expects($this->once()) $zipArchive->expects($this->once())
->method('extractTo') ->method('extractTo')
->will($this->returnValue(true)); ->will($this->returnValue(true));
$zipArchive->expects($this->once())
->method('count')
->will($this->returnValue(0));
$downloader = new MockedZipDownloader($this->io, $this->config, $this->httpDownloader, null, null, null, $processExecutor); $downloader = new MockedZipDownloader($this->io, $this->config, $this->httpDownloader, null, null, null, $processExecutor);
$this->setPrivateProperty('zipArchiveObject', $zipArchive, $downloader); $this->setPrivateProperty('zipArchiveObject', $zipArchive, $downloader);