rubyzip 1.2.1 → 1.2.2

data/test/input_stream_test.rb

@@ -70,7 +70,7 @@ class ZipInputStreamTest < MiniTest::Test
       entry = zis.get_next_entry # longAscii.txt
       assert_equal(false, zis.eof?)
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[0], entry.name)
-      assert zis.gets.length > 0
+      assert !zis.gets.empty?
       assert_equal(false, zis.eof?)
       entry = zis.get_next_entry # empty.txt
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[1], entry.name)
@@ -84,10 +84,10 @@ class ZipInputStreamTest < MiniTest::Test
       assert_equal(true, zis.eof?)
       entry = zis.get_next_entry # short.txt
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[3], entry.name)
-      assert zis.gets.length > 0
+      assert !zis.gets.empty?
       entry = zis.get_next_entry # longBinary.bin
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[4], entry.name)
-      assert zis.gets.length > 0
+      assert !zis.gets.empty?
     end
   end
 
@@ -97,7 +97,7 @@ class ZipInputStreamTest < MiniTest::Test
       entry = zis.get_next_entry # longAscii.txt
       assert_equal(false, zis.eof?)
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[0], entry.name)
-      assert zis.gets.length > 0
+      assert !zis.gets.empty?
       assert_equal(false, zis.eof?)
       entry = zis.get_next_entry # empty.txt
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[1], entry.name)
@@ -111,10 +111,10 @@ class ZipInputStreamTest < MiniTest::Test
       assert_equal(true, zis.eof?)
       entry = zis.get_next_entry # short.txt
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[3], entry.name)
-      assert zis.gets.length > 0
+      assert !zis.gets.empty?
       entry = zis.get_next_entry # longBinary.bin
       assert_equal(TestZipFile::TEST_ZIP2.entry_names[4], entry.name)
-      assert zis.gets.length > 0
+      assert !zis.gets.empty?
     end
   end
 

data/test/ioextras/abstract_output_stream_test.rb

@@ -92,11 +92,11 @@ class AbstractOutputStreamTest < MiniTest::Test
     assert_equal("hello\nworld\n", @output_stream.buffer)
 
     @output_stream.buffer = ''
-    @output_stream.puts(["hello\n", "world\n"])
+    @output_stream.puts(%W[hello\n world\n])
     assert_equal("hello\nworld\n", @output_stream.buffer)
 
     @output_stream.buffer = ''
-    @output_stream.puts(["hello\n", "world\n"], 'bingo')
+    @output_stream.puts(%W[hello\n world\n], 'bingo')
     assert_equal("hello\nworld\nbingo\n", @output_stream.buffer)
 
     @output_stream.buffer = ''

data/test/path_traversal_test.rb

@@ -0,0 +1,134 @@
+class PathTraversalTest < MiniTest::Test
+  TEST_FILE_ROOT = File.absolute_path('test/data/path_traversal')
+
+  def setup
+    # With apologies to anyone using these files... but they are the files in
+    # the sample zips, so we don't have much choice here.
+    FileUtils.rm_f '/tmp/moo'
+    FileUtils.rm_f '/tmp/file.txt'
+  end
+
+  def extract_path_traversal_zip(name)
+    Zip::File.open(File.join(TEST_FILE_ROOT, name)) do |zip_file|
+      zip_file.each do |entry|
+        entry.extract
+      end
+    end
+  end
+
+  def in_tmpdir
+    Dir.mktmpdir do |tmp|
+      test_path = File.join(tmp, 'test')
+      Dir.mkdir test_path
+      Dir.chdir test_path do
+        yield test_path
+      end
+    end
+  end
+
+  def test_leading_slash
+    in_tmpdir do
+      extract_path_traversal_zip 'jwilk/absolute1.zip'
+      refute File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_multiple_leading_slashes
+    in_tmpdir do
+      extract_path_traversal_zip 'jwilk/absolute2.zip'
+      refute File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_leading_dot_dot
+    in_tmpdir do
+      extract_path_traversal_zip 'jwilk/relative0.zip'
+      refute File.exist?('../moo')
+    end
+  end
+
+  def test_non_leading_dot_dot_with_existing_folder
+    in_tmpdir do
+      extract_path_traversal_zip 'relative1.zip'
+      assert Dir.exist?('tmp')
+      refute File.exist?('../moo')
+    end
+  end
+
+  def test_non_leading_dot_dot_without_existing_folder
+    in_tmpdir do
+      extract_path_traversal_zip 'jwilk/relative2.zip'
+      refute File.exist?('../moo')
+    end
+  end
+
+  def test_file_symlink
+    in_tmpdir do
+      extract_path_traversal_zip 'jwilk/symlink.zip'
+      assert File.exist?('moo')
+      refute File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_directory_symlink
+    in_tmpdir do
+      # Can't create tmp/moo, because the tmp symlink is skipped.
+      assert_raises Errno::ENOENT do
+        extract_path_traversal_zip 'jwilk/dirsymlink.zip'
+      end
+      refute File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_two_directory_symlinks_a
+    in_tmpdir do
+      # Can't create par/moo because the symlinks are skipped.
+      assert_raises Errno::ENOENT do
+        extract_path_traversal_zip 'jwilk/dirsymlink2a.zip'
+      end
+      refute File.exist?('cur')
+      refute File.exist?('par')
+      refute File.exist?('par/moo')
+    end
+  end
+
+  def test_two_directory_symlinks_b
+    in_tmpdir do
+      # Can't create par/moo, because the symlinks are skipped.
+      assert_raises Errno::ENOENT do
+        extract_path_traversal_zip 'jwilk/dirsymlink2b.zip'
+      end
+      refute File.exist?('cur')
+      refute File.exist?('../moo')
+    end
+  end
+
+  def test_entry_name_with_absolute_path_does_not_extract
+    in_tmpdir do
+      extract_path_traversal_zip 'tuzovakaoff/absolutepath.zip'
+      refute File.exist?('/tmp/file.txt')
+    end
+  end
+
+  def test_entry_name_with_absolute_path_extract_when_given_different_path
+    in_tmpdir do |test_path|
+      zip_path = File.join(TEST_FILE_ROOT, 'tuzovakaoff/absolutepath.zip')
+      Zip::File.open(zip_path) do |zip_file|
+        zip_file.each do |entry|
+          entry.extract(File.join(test_path, entry.name))
+        end
+      end
+      refute File.exist?('/tmp/file.txt')
+    end
+  end
+
+  def test_entry_name_with_relative_symlink
+    in_tmpdir do
+      # Doesn't create the symlink path, so can't create path/file.txt.
+      assert_raises Errno::ENOENT do
+        extract_path_traversal_zip 'tuzovakaoff/symlink.zip'
+      end
+      refute File.exist?('/tmp/file.txt')
+    end
+  end
+end

data/test/test_helper.rb

@@ -103,7 +103,7 @@ module AssertEntry
     File.open(filename, 'rb') do |file|
       expected = file.read
       actual = zis.read
-      if (expected != actual)
+      if expected != actual
         if (expected && actual) && (expected.length > 400 || actual.length > 400)
           zipEntryFilename = entryName + '.zipEntry'
           File.open(zipEntryFilename, 'wb') { |entryfile| entryfile << actual }
@@ -118,7 +118,7 @@ module AssertEntry
   def self.assert_contents(filename, aString)
     fileContents = ''
     File.open(filename, 'rb') { |f| fileContents = f.read }
-    if (fileContents != aString)
+    if fileContents != aString
       if fileContents.length > 400 || aString.length > 400
         stringFile = filename + '.other'
         File.open(stringFile, 'wb') { |f| f << aString }

data/test/unicode_file_names_and_comments_test.rb

@@ -33,6 +33,18 @@ class ZipUnicodeFileNamesAndComments < MiniTest::Test
         assert(filepath == entry_name)
       end
     end
+
+    ::Zip.force_entry_names_encoding = 'UTF-8'
+    ::Zip::File.open(FILENAME) do |zip|
+      file_entrys.each do |filename|
+        refute_nil(zip.find_entry(filename))
+      end
+      directory_entrys.each do |filepath|
+        refute_nil(zip.find_entry(filepath))
+      end
+    end
+    ::Zip.force_entry_names_encoding = nil
+
     ::File.unlink(FILENAME)
   end
 

data/test/zip64_full_test.rb

@@ -36,7 +36,7 @@ if ENV['FULL_ZIP64_TEST']
       end
 
       ::Zip::File.open(test_filename) do |zf|
-        assert_equal %w(first_file.txt huge_file last_file.txt), zf.entries.map(&:name)
+        assert_equal %w[first_file.txt huge_file last_file.txt], zf.entries.map(&:name)
         assert_equal first_text, zf.read('first_file.txt')
         assert_equal last_text, zf.read('last_file.txt')
       end
@@ -44,7 +44,7 @@ if ENV['FULL_ZIP64_TEST']
       # note: if this fails, be sure you have UnZip version 6.0 or newer
       # as this is the first version to support zip64 extensions
       # but some OSes (*cough* OSX) still bundle a 5.xx release
-      assert system("unzip -t #{test_filename}"), 'third-party zip validation failed'
+      assert system("unzip -tqq #{test_filename}"), 'third-party zip validation failed'
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubyzip
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.2.2
 platform: ruby
 authors:
 - Alexander Simonov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-08 00:00:00.000000000 Z
+date: 2018-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.49.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.49.1
 description: 
 email:
 - alex@simonov.me
@@ -134,10 +148,25 @@ files:
 - test/data/globTest/foo.txt
 - test/data/globTest/foo/bar/baz/foo.txt
 - test/data/globTest/food.txt
+- test/data/gpbit3stored.zip
 - test/data/mimetype
 - test/data/notzippedruby.rb
 - test/data/ntfs.zip
 - test/data/oddExtraField.zip
+- test/data/path_traversal/Makefile
+- test/data/path_traversal/jwilk/README.md
+- test/data/path_traversal/jwilk/absolute1.zip
+- test/data/path_traversal/jwilk/absolute2.zip
+- test/data/path_traversal/jwilk/dirsymlink.zip
+- test/data/path_traversal/jwilk/dirsymlink2a.zip
+- test/data/path_traversal/jwilk/dirsymlink2b.zip
+- test/data/path_traversal/jwilk/relative0.zip
+- test/data/path_traversal/jwilk/relative2.zip
+- test/data/path_traversal/jwilk/symlink.zip
+- test/data/path_traversal/relative1.zip
+- test/data/path_traversal/tuzovakaoff/README.md
+- test/data/path_traversal/tuzovakaoff/absolutepath.zip
+- test/data/path_traversal/tuzovakaoff/symlink.zip
 - test/data/rubycode.zip
 - test/data/rubycode2.zip
 - test/data/test.xls
@@ -171,6 +200,7 @@ files:
 - test/output_stream_test.rb
 - test/pass_thru_compressor_test.rb
 - test/pass_thru_decompressor_test.rb
+- test/path_traversal_test.rb
 - test/samples/example_recursive_test.rb
 - test/settings_test.rb
 - test/test_helper.rb
@@ -197,65 +227,81 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: rubyzip is a ruby module for reading and writing zip files
 test_files:
-- test/basic_zip_file_test.rb
-- test/case_sensitivity_test.rb
-- test/central_directory_entry_test.rb
+- test/file_permissions_test.rb
+- test/path_traversal_test.rb
+- test/ioextras/abstract_input_stream_test.rb
+- test/ioextras/fake_io_test.rb
+- test/ioextras/abstract_output_stream_test.rb
 - test/central_directory_test.rb
-- test/crypto/null_encryption_test.rb
+- test/central_directory_entry_test.rb
 - test/crypto/traditional_encryption_test.rb
-- test/data/file1.txt
-- test/data/file1.txt.deflatedData
-- test/data/file2.txt
-- test/data/globTest/foo/bar/baz/foo.txt
-- test/data/globTest/foo.txt
-- test/data/globTest/food.txt
-- test/data/globTest.zip
-- test/data/mimetype
-- test/data/notzippedruby.rb
-- test/data/ntfs.zip
-- test/data/oddExtraField.zip
-- test/data/rubycode.zip
-- test/data/rubycode2.zip
-- test/data/test.xls
-- test/data/testDirectory.bin
-- test/data/WarnInvalidDate.zip
-- test/data/zip64-sample.zip
-- test/data/zipWithDirs.zip
-- test/data/zipWithEncryption.zip
-- test/deflater_test.rb
-- test/encryption_test.rb
-- test/entry_set_test.rb
-- test/entry_test.rb
-- test/errors_test.rb
-- test/extra_field_test.rb
+- test/crypto/null_encryption_test.rb
+- test/input_stream_test.rb
 - test/file_extract_directory_test.rb
+- test/basic_zip_file_test.rb
+- test/inflater_test.rb
 - test/file_extract_test.rb
-- test/file_permissions_test.rb
-- test/file_split_test.rb
-- test/file_test.rb
-- test/filesystem/dir_iterator_test.rb
-- test/filesystem/directory_test.rb
-- test/filesystem/file_mutating_test.rb
+- test/pass_thru_compressor_test.rb
 - test/filesystem/file_nonmutating_test.rb
 - test/filesystem/file_stat_test.rb
-- test/gentestfiles.rb
-- test/inflater_test.rb
-- test/input_stream_test.rb
-- test/ioextras/abstract_input_stream_test.rb
-- test/ioextras/abstract_output_stream_test.rb
-- test/ioextras/fake_io_test.rb
+- test/filesystem/file_mutating_test.rb
+- test/filesystem/dir_iterator_test.rb
+- test/filesystem/directory_test.rb
+- test/extra_field_test.rb
+- test/zip64_support_test.rb
 - test/local_entry_test.rb
-- test/output_stream_test.rb
-- test/pass_thru_compressor_test.rb
-- test/pass_thru_decompressor_test.rb
 - test/samples/example_recursive_test.rb
+- test/entry_test.rb
+- test/case_sensitivity_test.rb
+- test/zip64_full_test.rb
+- test/pass_thru_decompressor_test.rb
 - test/settings_test.rb
+- test/gentestfiles.rb
+- test/encryption_test.rb
+- test/file_test.rb
+- test/deflater_test.rb
 - test/test_helper.rb
+- test/errors_test.rb
+- test/file_split_test.rb
+- test/data/file2.txt
+- test/data/testDirectory.bin
+- test/data/globTest/foo.txt
+- test/data/globTest/foo/bar/baz/foo.txt
+- test/data/globTest/food.txt
+- test/data/file1.txt
+- test/data/rubycode.zip
+- test/data/WarnInvalidDate.zip
+- test/data/zipWithDirs.zip
+- test/data/rubycode2.zip
+- test/data/mimetype
+- test/data/zipWithEncryption.zip
+- test/data/path_traversal/Makefile
+- test/data/path_traversal/relative1.zip
+- test/data/path_traversal/jwilk/dirsymlink.zip
+- test/data/path_traversal/jwilk/symlink.zip
+- test/data/path_traversal/jwilk/README.md
+- test/data/path_traversal/jwilk/relative2.zip
+- test/data/path_traversal/jwilk/relative0.zip
+- test/data/path_traversal/jwilk/absolute2.zip
+- test/data/path_traversal/jwilk/dirsymlink2b.zip
+- test/data/path_traversal/jwilk/absolute1.zip
+- test/data/path_traversal/jwilk/dirsymlink2a.zip
+- test/data/path_traversal/tuzovakaoff/symlink.zip
+- test/data/path_traversal/tuzovakaoff/README.md
+- test/data/path_traversal/tuzovakaoff/absolutepath.zip
+- test/data/oddExtraField.zip
+- test/data/gpbit3stored.zip
+- test/data/ntfs.zip
+- test/data/notzippedruby.rb
+- test/data/globTest.zip
+- test/data/file1.txt.deflatedData
+- test/data/test.xls
+- test/data/zip64-sample.zip
 - test/unicode_file_names_and_comments_test.rb
-- test/zip64_full_test.rb
-- test/zip64_support_test.rb
+- test/entry_set_test.rb
+- test/output_stream_test.rb