rubyzip 1.2.0 → 1.3.0

data/lib/zip/output_stream.rb

@@ -87,11 +87,11 @@ module Zip
     # +entry+ can be a ZipEntry object or a string.
     def put_next_entry(entry_name, comment = nil, extra = nil, compression_method = Entry::DEFLATED, level = Zip.default_compression)
       raise Error, 'zip stream is closed' if @closed
-      if entry_name.kind_of?(Entry)
-        new_entry = entry_name
-      else
-        new_entry = Entry.new(@file_name, entry_name.to_s)
-      end
+      new_entry = if entry_name.kind_of?(Entry)
+                    entry_name
+                  else
+                    Entry.new(@file_name, entry_name.to_s)
+                  end
       new_entry.comment = comment unless comment.nil?
       unless extra.nil?
         new_entry.extra = extra.is_a?(ExtraField) ? extra : ExtraField.new(extra.to_s)

data/lib/zip/pass_thru_decompressor.rb

@@ -1,5 +1,5 @@
 module Zip
-  class PassThruDecompressor < Decompressor  #:nodoc:all
+  class PassThruDecompressor < Decompressor #:nodoc:all
     def initialize(input_stream, chars_to_read)
       super(input_stream)
       @chars_to_read = chars_to_read

data/lib/zip/streamable_stream.rb

@@ -5,7 +5,7 @@ module Zip
       dirname = if zipfile.is_a?(::String)
                   ::File.dirname(zipfile)
                 else
-                  '.'
+                  nil
                 end
       @temp_file = Tempfile.new(::File.basename(name), dirname)
       @temp_file.binmode

data/lib/zip/version.rb

@@ -1,3 +1,3 @@
 module Zip
-  VERSION = '1.2.0'
+  VERSION = '1.3.0'
 end

data/samples/example_recursive.rb

@@ -6,7 +6,7 @@ require 'zip'
 # included in the archive, rather just its contents.
 #
 # Usage:
-#   directoryToZip = "/tmp/input"
+#   directory_to_zip = "/tmp/input"
 #   output_file = "/tmp/out.zip"
 #   zf = ZipFileGenerator.new(directory_to_zip, output_file)
 #   zf.write()
@@ -19,39 +19,36 @@ class ZipFileGenerator
 
   # Zip the input directory.
   def write
-    entries = Dir.entries(@input_dir) - %w(. ..)
+    entries = Dir.entries(@input_dir) - %w[. ..]
 
-    ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |io|
-      write_entries entries, '', io
+    ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |zipfile|
+      write_entries entries, '', zipfile
     end
   end
 
   private
 
   # A helper method to make the recursion work.
-  def write_entries(entries, path, io)
+  def write_entries(entries, path, zipfile)
     entries.each do |e|
-      zip_file_path = path == '' ? e : File.join(path, e)
-      disk_file_path = File.join(@input_dir, zip_file_path)
-      puts "Deflating #{disk_file_path}"
+      zipfile_path = path == '' ? e : File.join(path, e)
+      disk_file_path = File.join(@input_dir, zipfile_path)
 
       if File.directory? disk_file_path
-        recursively_deflate_directory(disk_file_path, io, zip_file_path)
+        recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
       else
-        put_into_archive(disk_file_path, io, zip_file_path)
+        put_into_archive(disk_file_path, zipfile, zipfile_path)
       end
     end
   end
 
-  def recursively_deflate_directory(disk_file_path, io, zip_file_path)
-    io.mkdir zip_file_path
-    subdir = Dir.entries(disk_file_path) - %w(. ..)
-    write_entries subdir, zip_file_path, io
+  def recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
+    zipfile.mkdir zipfile_path
+    subdir = Dir.entries(disk_file_path) - %w[. ..]
+    write_entries subdir, zipfile_path, zipfile
   end
 
-  def put_into_archive(disk_file_path, io, zip_file_path)
-    io.get_output_stream(zip_file_path) do |f|
-      f.write(File.open(disk_file_path, 'rb').read)
-    end
+  def put_into_archive(disk_file_path, zipfile, zipfile_path)
+    zipfile.add(zipfile_path, disk_file_path)
   end
 end

data/samples/gtk_ruby_zip.rb

@@ -31,7 +31,7 @@ class MainApp < Gtk::Window
     sw.set_policy(Gtk::POLICY_AUTOMATIC, Gtk::POLICY_AUTOMATIC)
     box.pack_start(sw, true, true, 0)
 
-    @clist = Gtk::CList.new(%w(Name Size Compression))
+    @clist = Gtk::CList.new(%w[Name Size Compression])
     @clist.set_selection_mode(Gtk::SELECTION_BROWSE)
     @clist.set_column_width(0, 120)
     @clist.set_column_width(1, 120)

data/samples/qtzip.rb

@@ -65,7 +65,7 @@ class ZipDialog < ZipDialogUI
     end
     puts "selected_items.size = #{selected_items.size}"
     puts "unselected_items.size = #{unselected_items.size}"
-    items = selected_items.size > 0 ? selected_items : unselected_items
+    items = !selected_items.empty? ? selected_items : unselected_items
     puts "items.size = #{items.size}"
 
     d = Qt::FileDialog.get_existing_directory(nil, self)

data/samples/zipfind.rb

@@ -31,7 +31,7 @@ module Zip
   end
 end
 
-if __FILE__ == $0
+if $0 == __FILE__
   module ZipFindConsoleRunner
     PATH_ARG_INDEX = 0
     FILENAME_PATTERN_ARG_INDEX = 1
@@ -47,7 +47,7 @@ if __FILE__ == $0
     end
 
     def self.check_args(args)
-      if (args.size != 3)
+      if args.size != 3
         usage
         exit
       end

data/test/central_directory_entry_test.rb

@@ -2,7 +2,7 @@ require 'test_helper'
 
 class ZipCentralDirectoryEntryTest < MiniTest::Test
   def test_read_from_stream
-    File.open('test/data/testDirectory.bin', 'rb') do  |file|
+    File.open('test/data/testDirectory.bin', 'rb') do |file|
       entry = ::Zip::Entry.read_c_dir_entry(file)
 
       assert_equal('longAscii.txt', entry.name)
@@ -37,7 +37,7 @@ class ZipCentralDirectoryEntryTest < MiniTest::Test
       assert_equal('', entry.comment)
 
       entry = ::Zip::Entry.read_c_dir_entry(file)
-      assert_equal(nil, entry)
+      assert_nil(entry)
       # Fields that are not check by this test:
       #          version made by                 2 bytes
       #          version needed to extract       2 bytes

data/test/crypto/null_encryption_test.rb

@@ -18,7 +18,9 @@ class NullEncrypterTest < MiniTest::Test
   end
 
   def test_encrypt
-    [nil, '', 'a' * 10, 0xffffffff].each do |data|
+    assert_nil @encrypter.encrypt(nil)
+
+    ['', 'a' * 10, 0xffffffff].each do |data|
       assert_equal data, @encrypter.encrypt(data)
     end
   end
@@ -42,7 +44,9 @@ class NullDecrypterTest < MiniTest::Test
   end
 
   def test_decrypt
-    [nil, '', 'a' * 10, 0xffffffff].each do |data|
+    assert_nil @decrypter.decrypt(nil)
+
+    ['', 'a' * 10, 0xffffffff].each do |data|
       assert_equal data, @decrypter.decrypt(data)
     end
   end

data/test/data/path_traversal/Makefile

@@ -0,0 +1,10 @@
+# Based on 'relative2' in https://github.com/jwilk/path-traversal-samples,
+# but create the local `tmp` folder before adding the symlink. Otherwise
+# we may bail out before we get to trying to create the file.
+all: relative1.zip
+relative1.zip:
+	rm -f $(@)
+	mkdir -p -m 755 tmp/tmp
+	umask 022 && echo moo > moo
+	cd tmp && zip -X ../$(@) tmp tmp/../../moo
+	rm -rf tmp moo

data/test/data/path_traversal/jwilk/README.md

@@ -0,0 +1,5 @@
+# Path Traversal Samples
+
+Copied from https://github.com/jwilk/path-traversal-samples on 2018-08-26.
+
+License: MIT

data/test/data/path_traversal/tuzovakaoff/README.md

@@ -0,0 +1,3 @@
+# Path Traversal Samples
+
+Copied from https://github.com/tuzovakaoff/zip_path_traversal on 2018-08-25.

data/test/entry_set_test.rb

@@ -76,7 +76,7 @@ class ZipEntrySetTest < MiniTest::Test
     ::Zip.case_insensitive_match = false
     zipEntrySet = ::Zip::EntrySet.new(entries)
     assert_equal(entries[0], zipEntrySet.find_entry('MiXeDcAsEnAmE'))
-    assert_equal(nil, zipEntrySet.find_entry('mixedcasename'))
+    assert_nil(zipEntrySet.find_entry('mixedcasename'))
   end
 
   def test_entries_with_sort
@@ -123,7 +123,7 @@ class ZipEntrySetTest < MiniTest::Test
     ]
     entrySet = ::Zip::EntrySet.new(entries)
 
-    assert_equal(nil, entrySet.parent(entries[0]))
+    assert_nil(entrySet.parent(entries[0]))
     assert_equal(entries[0], entrySet.parent(entries[1]))
     assert_equal(entries[1], entrySet.parent(entries[2]))
   end
@@ -149,4 +149,15 @@ class ZipEntrySetTest < MiniTest::Test
     # assert_equal(entries.size, res.size)
     # assert_equal(entrySet.map { |e| e.name }, res.map { |e| e.name })
   end
+
+  def test_glob3
+    entries = [
+      ::Zip::Entry.new('zf.zip', 'a/a'),
+      ::Zip::Entry.new('zf.zip', 'a/b'),
+      ::Zip::Entry.new('zf.zip', 'a/c')
+    ]
+    entrySet = ::Zip::EntrySet.new(entries)
+
+    assert_equal(entries[0, 2].sort, entrySet.glob('a/{a,b}').sort)
+  end
 end

data/test/entry_test.rb

@@ -1,16 +1,7 @@
 require 'test_helper'
 
 class ZipEntryTest < MiniTest::Test
-  TEST_ZIPFILE = 'someZipFile.zip'
-  TEST_COMMENT = 'a comment'
-  TEST_COMPRESSED_SIZE = 1234
-  TEST_CRC = 325_324
-  TEST_EXTRA = 'Some data here'
-  TEST_COMPRESSIONMETHOD = ::Zip::Entry::DEFLATED
-  TEST_NAME = 'entry name'
-  TEST_SIZE = 8432
-  TEST_ISDIRECTORY = false
-  TEST_TIME = Time.now
+  include ZipEntryData
 
   def test_constructor_and_getters
     entry = ::Zip::Entry.new(TEST_ZIPFILE,
@@ -118,8 +109,8 @@ class ZipEntryTest < MiniTest::Test
     entry5 = ::Zip::Entry.new('zf.zip', 'aa/bb/cc')
     entry6 = ::Zip::Entry.new('zf.zip', 'aa/bb/cc/')
 
-    assert_equal(nil, entry1.parent_as_string)
-    assert_equal(nil, entry2.parent_as_string)
+    assert_nil(entry1.parent_as_string)
+    assert_nil(entry2.parent_as_string)
     assert_equal('aa/', entry3.parent_as_string)
     assert_equal('aa/', entry4.parent_as_string)
     assert_equal('aa/bb/', entry5.parent_as_string)

data/test/errors_test.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 require 'test_helper'
 
 class ErrorsTest < MiniTest::Test

data/test/file_extract_test.rb

@@ -10,6 +10,10 @@ class ZipFileExtractTest < MiniTest::Test
     ::File.delete(EXTRACTED_FILENAME) if ::File.exist?(EXTRACTED_FILENAME)
   end
 
+  def teardown
+    ::Zip.reset!
+  end
+
   def test_extract
     ::Zip::File.open(TEST_ZIP.zip_name) do |zf|
       zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
@@ -80,4 +84,62 @@ class ZipFileExtractTest < MiniTest::Test
     end
     assert(!File.exist?(outFile))
   end
+
+  def test_extract_incorrect_size
+    # The uncompressed size fields in the zip file cannot be trusted. This makes
+    # it harder for callers to validate the sizes of the files they are
+    # extracting, which can lead to denial of service. See also
+    # https://en.wikipedia.org/wiki/Zip_bomb
+    Dir.mktmpdir do |tmp|
+      real_zip = File.join(tmp, 'real.zip')
+      fake_zip = File.join(tmp, 'fake.zip')
+      file_name = 'a'
+      true_size = 500_000
+      fake_size = 1
+
+      ::Zip::File.open(real_zip, ::Zip::File::CREATE) do |zf|
+        zf.get_output_stream(file_name) do |os|
+          os.write 'a' * true_size
+        end
+      end
+
+      compressed_size = nil
+      ::Zip::File.open(real_zip) do |zf|
+        a_entry = zf.find_entry(file_name)
+        compressed_size = a_entry.compressed_size
+        assert_equal true_size, a_entry.size
+      end
+
+      true_size_bytes = [compressed_size, true_size, file_name.size].pack('LLS')
+      fake_size_bytes = [compressed_size, fake_size, file_name.size].pack('LLS')
+
+      data = File.binread(real_zip)
+      assert data.include?(true_size_bytes)
+      data.gsub! true_size_bytes, fake_size_bytes
+
+      File.open(fake_zip, 'wb') do |file|
+        file.write data
+      end
+
+      Dir.chdir tmp do
+        ::Zip::File.open(fake_zip) do |zf|
+          a_entry = zf.find_entry(file_name)
+          assert_equal fake_size, a_entry.size
+
+          ::Zip.validate_entry_sizes = false
+          a_entry.extract
+          assert_equal true_size, File.size(file_name)
+          FileUtils.rm file_name
+
+          ::Zip.validate_entry_sizes = true
+          error = assert_raises ::Zip::EntrySizeError do
+            a_entry.extract
+          end
+          assert_equal \
+            'Entry a should be 1B but is larger when inflated',
+            error.message
+        end
+      end
+    end
+  end
 end

data/test/file_permissions_test.rb

@@ -1,69 +1,65 @@
 require 'test_helper'
 
 class FilePermissionsTest < MiniTest::Test
-
-  FILENAME = File.join(File.dirname(__FILE__), "umask.zip")
+  ZIPNAME = File.join(File.dirname(__FILE__), 'umask.zip')
+  FILENAME = File.join(File.dirname(__FILE__), 'umask.txt')
 
   def teardown
+    ::File.unlink(ZIPNAME)
     ::File.unlink(FILENAME)
   end
 
-  if ::Zip::RUNNING_ON_WINDOWS
-    # Windows tests
-
-    DEFAULT_PERMS = 0644
-
-    def test_windows_perms
-      create_file
+  def test_current_umask
+    create_files
+    assert_matching_permissions FILENAME, ZIPNAME
+  end
 
-      assert_equal DEFAULT_PERMS, ::File.stat(FILENAME).mode
+  def test_umask_000
+    set_umask(0o000) do
+      create_files
     end
 
-  else
-    # Unix tests
-
-    DEFAULT_PERMS = 0100666
-
-    def test_current_umask
-      umask = DEFAULT_PERMS - ::File.umask
-      create_file
+    assert_matching_permissions FILENAME, ZIPNAME
+  end
 
-      assert_equal umask, ::File.stat(FILENAME).mode
+  def test_umask_066
+    set_umask(0o066) do
+      create_files
     end
 
-    def test_umask_000
-      set_umask(0000) do
-        create_file
-      end
+    assert_matching_permissions FILENAME, ZIPNAME
+  end
 
-      assert_equal DEFAULT_PERMS, ::File.stat(FILENAME).mode
+  def test_umask_027
+    set_umask(0o027) do
+      create_files
     end
 
-    def test_umask_066
-      umask = 0066
-      set_umask(umask) do
-        create_file
-      end
-
-      assert_equal((DEFAULT_PERMS - umask), ::File.stat(FILENAME).mode)
-    end
+    assert_matching_permissions FILENAME, ZIPNAME
+  end
 
+  def assert_matching_permissions(expected_file, actual_file)
+    assert_equal(
+      ::File.stat(expected_file).mode.to_s(8).rjust(4, '0'),
+      ::File.stat(actual_file).mode.to_s(8).rjust(4, '0')
+    )
   end
 
-  def create_file
-    ::Zip::File.open(FILENAME, ::Zip::File::CREATE) do |zip|
-      zip.comment = "test"
+  def create_files
+    ::Zip::File.open(ZIPNAME, ::Zip::File::CREATE) do |zip|
+      zip.comment = 'test'
     end
-  end
 
-  # If anything goes wrong, make sure the umask is restored.
-  def set_umask(umask, &block)
-    begin
-      saved_umask = ::File.umask(umask)
-      yield
-    ensure
-      ::File.umask(saved_umask)
+    ::File.open(FILENAME, 'w') do |file|
+      file << 'test'
     end
   end
 
+  # If anything goes wrong, make sure the umask is restored.
+  def set_umask(umask)
+    saved_umask = ::File.umask(umask)
+    yield
+  ensure
+    ::File.umask(saved_umask)
+  end
 end