[brooklyn-server] 02/18: test for checking exception malicious zip files are not extracted

heneveld Fri, 02 Dec 2022 12:03:00 -0800

This is an automated email from the ASF dual-hosted git repository.

heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git


commit e50ea74b85352c9fb637d46af5ba85ce03a750e9
Author: Juan Cabrerizo <[email protected]>
AuthorDate: Tue Nov 29 10:29:32 2022 +0000

    test for checking exception malicious zip files are not extracted
---
 .../brooklyn/util/core/file/ArchiveUtilsTest.java  |  34 ++++++++++++++++++++-
 .../brooklyn/util/file.core/evilLinux.zip          | Bin 0 -> 326 bytes
 .../resources/brooklyn/util/file.core/evilWin.zip  | Bin 0 -> 174 bytes
 .../resources/brooklyn/util/file.core/noEvil.zip   | Bin 0 -> 334 bytes
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git 
a/core/src/test/java/org/apache/brooklyn/util/core/file/ArchiveUtilsTest.java 
b/core/src/test/java/org/apache/brooklyn/util/core/file/ArchiveUtilsTest.java
index fef814de3d..c87e0229d7 100644
--- 
a/core/src/test/java/org/apache/brooklyn/util/core/file/ArchiveUtilsTest.java
+++ 
b/core/src/test/java/org/apache/brooklyn/util/core/file/ArchiveUtilsTest.java
@@ -23,8 +23,16 @@ import static org.testng.Assert.assertFalse;
 import static org.testng.Assert.assertTrue;
 
 import java.io.File;
+import java.io.InputStream;
+import java.io.Reader;
+import java.nio.file.StandardOpenOption;
 import java.util.Map;
+import java.util.zip.ZipFile;
 
+import com.google.common.io.ByteStreams;
+import org.apache.brooklyn.util.stream.InputStreamSource;
+import org.apache.brooklyn.util.stream.Streams;
+import org.apache.commons.io.FileUtils;
 import org.testng.annotations.AfterClass;
 import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeClass;
@@ -110,7 +118,31 @@ public class ArchiveUtilsTest extends 
BrooklynAppUnitTestSupport {
         ArchiveUtils.deploy(origJar.getAbsolutePath(), machine, 
destDir.getAbsolutePath(), destFile);
         assertFilesEqual(new File(destDir, destFile), origJar);
     }
-    
+    @Test(expectedExceptions = IllegalStateException.class)
+    public void testUnzipFileAccessingPathOutsideTargetFolderEvilWinFormat() 
throws Exception{
+        InputStream evilZip = 
ResourceUtils.create(this).getResourceFromUrl("classpath://brooklyn/util/file.core/evilWin.zip");
+        File tempZipFile = File.createTempFile("test-zip",null);
+        tempZipFile.deleteOnExit();
+        java.nio.file.Files.write(tempZipFile.toPath(), 
ByteStreams.toByteArray(evilZip), StandardOpenOption.TRUNCATE_EXISTING);
+        ArchiveUtils.extractZip(new 
ZipFile(tempZipFile),destDir.getAbsolutePath());
+    }
+    @Test(expectedExceptions = IllegalStateException.class)
+    public void testUnzipFileAccessingPathOutsideTargetFolderEvilLinuxFormat() 
throws Exception{
+        InputStream evilZip = 
ResourceUtils.create(this).getResourceFromUrl("classpath://brooklyn/util/file.core/evilLinux.zip");
+        File tempZipFile = File.createTempFile("test-zip",null);
+        tempZipFile.deleteOnExit();
+        java.nio.file.Files.write(tempZipFile.toPath(), 
ByteStreams.toByteArray(evilZip), StandardOpenOption.TRUNCATE_EXISTING);
+        ArchiveUtils.extractZip(new 
ZipFile(tempZipFile),destDir.getAbsolutePath());
+    }
+    @Test
+    public void testUnzipFileAccessingPathOutsideTargetFolderNoEvil() throws 
Exception{
+        InputStream noEvilZip = 
ResourceUtils.create(this).getResourceFromUrl("classpath://brooklyn/util/file.core/noEvil.zip");
+        File tempZipFile = File.createTempFile("test-zip",null);
+        tempZipFile.deleteOnExit();
+        java.nio.file.Files.write(tempZipFile.toPath(), 
ByteStreams.toByteArray(noEvilZip), StandardOpenOption.TRUNCATE_EXISTING);
+        ArchiveUtils.extractZip(new 
ZipFile(tempZipFile),destDir.getAbsolutePath());
+    }
+
     private File newZip(Map<String, String> files) throws Exception {
         File parentDir = Os.newTempDir(getClass().getSimpleName()+"-archive");
         for (Map.Entry<String, String> entry : files.entrySet()) {
diff --git a/core/src/test/resources/brooklyn/util/file.core/evilLinux.zip 
b/core/src/test/resources/brooklyn/util/file.core/evilLinux.zip
new file mode 100644
index 0000000000..01d929ab67
Binary files /dev/null and 
b/core/src/test/resources/brooklyn/util/file.core/evilLinux.zip differ
diff --git a/core/src/test/resources/brooklyn/util/file.core/evilWin.zip 
b/core/src/test/resources/brooklyn/util/file.core/evilWin.zip
new file mode 100644
index 0000000000..4e3c586603
Binary files /dev/null and 
b/core/src/test/resources/brooklyn/util/file.core/evilWin.zip differ
diff --git a/core/src/test/resources/brooklyn/util/file.core/noEvil.zip 
b/core/src/test/resources/brooklyn/util/file.core/noEvil.zip
new file mode 100644
index 0000000000..3e6b09c2b9
Binary files /dev/null and 
b/core/src/test/resources/brooklyn/util/file.core/noEvil.zip differ

[brooklyn-server] 02/18: test for checking exception malicious zip files are not extracted

Reply via email to