rubyzip 1.2.1 → 1.3.0

data/lib/zip/file.rb

@@ -64,25 +64,38 @@ module Zip
 
     # Opens a zip archive. Pass true as the second parameter to create
     # a new archive if it doesn't exist already.
-    def initialize(file_name, create = false, buffer = false, options = {})
+    def initialize(path_or_io, create = false, buffer = false, options = {})
       super()
-      @name    = file_name
+      @name    = path_or_io.respond_to?(:path) ? path_or_io.path : path_or_io
       @comment = ''
       @create  = create ? true : false # allow any truthy value to mean true
-      case
-      when !buffer && ::File.size?(file_name)
+
+      if ::File.size?(@name.to_s)
+        # There is a file, which exists, that is associated with this zip.
         @create = false
-        @file_permissions = ::File.stat(file_name).mode
-        ::File.open(name, 'rb') do |f|
-          read_from_stream(f)
+        @file_permissions = ::File.stat(@name).mode
+
+        if buffer
+          read_from_stream(path_or_io)
+        else
+          ::File.open(@name, 'rb') do |f|
+            read_from_stream(f)
+          end
         end
-      when @create
+      elsif buffer && path_or_io.size > 0
+        # This zip is probably a non-empty StringIO.
+        read_from_stream(path_or_io)
+      elsif @create
+        # This zip is completely new/empty and is to be created.
         @entry_set = EntrySet.new
-      when ::File.zero?(file_name)
-        raise Error, "File #{file_name} has zero size. Did you mean to pass the create flag?"
+      elsif ::File.zero?(@name)
+        # A file exists, but it is empty.
+        raise Error, "File #{@name} has zero size. Did you mean to pass the create flag?"
       else
-        raise Error, "File #{file_name} not found"
+        # Everything is wrong.
+        raise Error, "File #{@name} not found"
       end
+
       @stored_entries      = @entry_set.dup
       @stored_comment      = @comment
       @restore_ownership   = options[:restore_ownership]    || false
@@ -120,17 +133,16 @@ module Zip
         unless IO_METHODS.map { |method| io.respond_to?(method) }.all? || io.is_a?(String)
           raise "Zip::File.open_buffer expects a String or IO-like argument (responds to #{IO_METHODS.join(', ')}). Found: #{io.class}"
         end
-        if io.is_a?(::String)
-          require 'stringio'
-          io = ::StringIO.new(io)
-        elsif io.respond_to?(:binmode)
-          # https://github.com/rubyzip/rubyzip/issues/119
-          io.binmode
-        end
+
+        io = ::StringIO.new(io) if io.is_a?(::String)
+
+        # https://github.com/rubyzip/rubyzip/issues/119
+        io.binmode if io.respond_to?(:binmode)
+
         zf = ::Zip::File.new(io, true, true, options)
-        zf.read_from_stream(io)
         return zf unless block_given?
         yield zf
+
         begin
           zf.write_buffer(io)
         rescue IOError => e
@@ -151,10 +163,9 @@ module Zip
       end
 
       def get_segment_size_for_split(segment_size)
-        case
-        when MIN_SEGMENT_SIZE > segment_size
+        if MIN_SEGMENT_SIZE > segment_size
           MIN_SEGMENT_SIZE
-        when MAX_SEGMENT_SIZE < segment_size
+        elsif MAX_SEGMENT_SIZE < segment_size
           MAX_SEGMENT_SIZE
         else
           segment_size
@@ -162,8 +173,10 @@ module Zip
       end
 
       def get_partial_zip_file_name(zip_file_name, partial_zip_file_name)
-        partial_zip_file_name = zip_file_name.sub(/#{::File.basename(zip_file_name)}\z/,
-                                                  partial_zip_file_name + ::File.extname(zip_file_name)) unless partial_zip_file_name.nil?
+        unless partial_zip_file_name.nil?
+          partial_zip_file_name = zip_file_name.sub(/#{::File.basename(zip_file_name)}\z/,
+                                                    partial_zip_file_name + ::File.extname(zip_file_name))
+        end
         partial_zip_file_name ||= zip_file_name
         partial_zip_file_name
       end
@@ -237,7 +250,7 @@ module Zip
     # specified. If a block is passed the stream object is passed to the block and
     # the stream is automatically closed afterwards just as with ruby's builtin
     # File.open method.
-    def get_output_stream(entry, permission_int = nil, comment = nil, extra = nil, compressed_size = nil, crc = nil, compression_method = nil, size = nil, time = nil,  &aProc)
+    def get_output_stream(entry, permission_int = nil, comment = nil, extra = nil, compressed_size = nil, crc = nil, compression_method = nil, size = nil, time = nil, &aProc)
       new_entry =
         if entry.kind_of?(Entry)
           entry
@@ -274,6 +287,13 @@ module Zip
       @entry_set << new_entry
     end
 
+    # Convenience method for adding the contents of a file to the archive
+    # in Stored format (uncompressed)
+    def add_stored(entry, src_path, &continue_on_exists_proc)
+      entry = ::Zip::Entry.new(@name, entry.to_s, nil, nil, nil, nil, ::Zip::Entry::STORED)
+      add(entry, src_path, &continue_on_exists_proc)
+    end
+
     # Removes the specified entry.
     def remove(entry)
       @entry_set.delete(get_entry(entry))
@@ -306,7 +326,7 @@ module Zip
     # Commits changes that has been made since the previous commit to
     # the zip archive.
     def commit
-      return unless commit_required?
+      return if name.is_a?(StringIO) || !commit_required?
       on_success_replace do |tmp_file|
         ::Zip::OutputStream.open(tmp_file) do |zos|
           @entry_set.each do |e|
@@ -366,7 +386,7 @@ module Zip
     end
 
     # Creates a directory
-    def mkdir(entryName, permissionInt = 0755)
+    def mkdir(entryName, permissionInt = 0o755)
       raise Errno::EEXIST, "File exists - #{entryName}" if find_entry(entryName)
       entryName = entryName.dup.to_s
       entryName << '/' unless entryName.end_with?('/')

data/lib/zip/filesystem.rb

@@ -142,9 +142,9 @@ module Zip
 
         def ftype
           if file?
-            return 'file'
+            'file'
           elsif directory?
-            return 'directory'
+            'directory'
           else
             raise StandardError, 'Unknown file type'
           end
@@ -198,30 +198,30 @@ module Zip
       alias grpowned? exists?
 
       def readable?(fileName)
-        unix_mode_cmp(fileName, 0444)
+        unix_mode_cmp(fileName, 0o444)
       end
       alias readable_real? readable?
 
       def writable?(fileName)
-        unix_mode_cmp(fileName, 0222)
+        unix_mode_cmp(fileName, 0o222)
       end
       alias writable_real? writable?
 
       def executable?(fileName)
-        unix_mode_cmp(fileName, 0111)
+        unix_mode_cmp(fileName, 0o111)
       end
       alias executable_real? executable?
 
       def setuid?(fileName)
-        unix_mode_cmp(fileName, 04000)
+        unix_mode_cmp(fileName, 0o4000)
       end
 
       def setgid?(fileName)
-        unix_mode_cmp(fileName, 02000)
+        unix_mode_cmp(fileName, 0o2000)
       end
 
       def sticky?(fileName)
-        unix_mode_cmp(fileName, 01000)
+        unix_mode_cmp(fileName, 0o1000)
       end
 
       def umask(*args)
@@ -237,8 +237,8 @@ module Zip
         expand_path(fileName) == '/' || (!entry.nil? && entry.directory?)
       end
 
-      def open(fileName, openMode = 'r', permissionInt = 0644, &block)
-        openMode.gsub!('b', '') # ignore b option
+      def open(fileName, openMode = 'r', permissionInt = 0o644, &block)
+        openMode.delete!('b') # ignore b option
         case openMode
         when 'r'
           @mappedZip.get_input_stream(fileName, &block)
@@ -260,7 +260,7 @@ module Zip
       # Returns nil for not found and nil for directories
       def size?(fileName)
         entry = @mappedZip.find_entry(fileName)
-        (entry.nil? || entry.directory?) ? nil : entry.size
+        entry.nil? || entry.directory? ? nil : entry.size
       end
 
       def chown(ownerInt, groupInt, *filenames)
@@ -498,7 +498,7 @@ module Zip
       alias rmdir delete
       alias unlink delete
 
-      def mkdir(entryName, permissionInt = 0755)
+      def mkdir(entryName, permissionInt = 0o755)
         @mappedZip.mkdir(entryName, permissionInt)
       end
 
@@ -573,6 +573,10 @@ module Zip
         @zipFile.get_output_stream(expand_to_entry(fileName), permissionInt, &aProc)
       end
 
+      def glob(pattern, *flags, &block)
+        @zipFile.glob(expand_to_entry(pattern), *flags, &block)
+      end
+
       def read(fileName)
         @zipFile.read(expand_to_entry(fileName))
       end
@@ -586,7 +590,7 @@ module Zip
                         &continueOnExistsProc)
       end
 
-      def mkdir(fileName, permissionInt = 0755)
+      def mkdir(fileName, permissionInt = 0o755)
         @zipFile.mkdir(expand_to_entry(fileName), permissionInt)
       end
 

data/lib/zip/inflater.rb

@@ -3,9 +3,9 @@ module Zip
     def initialize(input_stream, decrypter = NullDecrypter.new)
       super(input_stream)
       @zlib_inflater           = ::Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      @output_buffer           = ''
+      @output_buffer           = ''.dup
       @has_returned_empty_string = false
-      @decrypter               = decrypter
+      @decrypter = decrypter
     end
 
     def sysread(number_of_bytes = nil, buf = '')

data/lib/zip/input_stream.rb

@@ -129,23 +129,26 @@ module Zip
       end
       if @current_entry && @current_entry.gp_flags & 8 == 8 && @current_entry.crc == 0 \
         && @current_entry.compressed_size == 0 \
-        && @current_entry.size == 0 && !@internal
+        && @current_entry.size == 0 && !@complete_entry
         raise GPFBit3Error,
               'General purpose flag Bit 3 is set so not possible to get proper info from local header.' \
               'Please use ::Zip::File instead of ::Zip::InputStream'
       end
-      @decompressor  = get_decompressor
+      @decompressor = get_decompressor
       flush
       @current_entry
     end
 
     def get_decompressor
-      case
-      when @current_entry.nil?
+      if @current_entry.nil?
         ::Zip::NullDecompressor
-      when @current_entry.compression_method == ::Zip::Entry::STORED
-        ::Zip::PassThruDecompressor.new(@archive_io, @current_entry.size)
-      when @current_entry.compression_method == ::Zip::Entry::DEFLATED
+      elsif @current_entry.compression_method == ::Zip::Entry::STORED
+        if @current_entry.gp_flags & 8 == 8 && @current_entry.crc == 0 && @current_entry.size == 0 && @complete_entry
+          ::Zip::PassThruDecompressor.new(@archive_io, @complete_entry.size)
+        else
+          ::Zip::PassThruDecompressor.new(@archive_io, @current_entry.size)
+        end
+      elsif @current_entry.compression_method == ::Zip::Entry::DEFLATED
         header = @archive_io.read(@decrypter.header_bytesize)
         @decrypter.reset!(header)
         ::Zip::Inflater.new(@archive_io, @decrypter)

data/lib/zip/ioextras/abstract_input_stream.rb

@@ -33,7 +33,7 @@ module Zip
                  sysread(number_of_bytes, buf)
                end
 
-        if tbuf.nil? || tbuf.length == 0
+        if tbuf.nil? || tbuf.empty?
           return nil if number_of_bytes
           return ''
         end

data/lib/zip/ioextras/abstract_output_stream.rb

@@ -15,7 +15,7 @@ module Zip
       end
 
       def printf(a_format_string, *params)
-        self << sprintf(a_format_string, *params)
+        self << format(a_format_string, *params)
       end
 
       def putc(an_object)

data/lib/zip/output_stream.rb

@@ -87,11 +87,11 @@ module Zip
     # +entry+ can be a ZipEntry object or a string.
     def put_next_entry(entry_name, comment = nil, extra = nil, compression_method = Entry::DEFLATED, level = Zip.default_compression)
       raise Error, 'zip stream is closed' if @closed
-      if entry_name.kind_of?(Entry)
-        new_entry = entry_name
-      else
-        new_entry = Entry.new(@file_name, entry_name.to_s)
-      end
+      new_entry = if entry_name.kind_of?(Entry)
+                    entry_name
+                  else
+                    Entry.new(@file_name, entry_name.to_s)
+                  end
       new_entry.comment = comment unless comment.nil?
       unless extra.nil?
         new_entry.extra = extra.is_a?(ExtraField) ? extra : ExtraField.new(extra.to_s)

data/lib/zip/pass_thru_decompressor.rb

@@ -1,5 +1,5 @@
 module Zip
-  class PassThruDecompressor < Decompressor  #:nodoc:all
+  class PassThruDecompressor < Decompressor #:nodoc:all
     def initialize(input_stream, chars_to_read)
       super(input_stream)
       @chars_to_read = chars_to_read

data/lib/zip/streamable_stream.rb

@@ -5,7 +5,7 @@ module Zip
       dirname = if zipfile.is_a?(::String)
                   ::File.dirname(zipfile)
                 else
-                  '.'
+                  nil
                 end
       @temp_file = Tempfile.new(::File.basename(name), dirname)
       @temp_file.binmode

data/lib/zip/version.rb

@@ -1,3 +1,3 @@
 module Zip
-  VERSION = '1.2.1'
+  VERSION = '1.3.0'
 end

data/lib/zip.rb

@@ -34,7 +34,16 @@ require 'zip/errors'
 
 module Zip
   extend self
-  attr_accessor :unicode_names, :on_exists_proc, :continue_on_exists_proc, :sort_entries, :default_compression, :write_zip64_support, :warn_invalid_date, :case_insensitive_match
+  attr_accessor :unicode_names,
+                :on_exists_proc,
+                :continue_on_exists_proc,
+                :sort_entries,
+                :default_compression,
+                :write_zip64_support,
+                :warn_invalid_date,
+                :case_insensitive_match,
+                :force_entry_names_encoding,
+                :validate_entry_sizes
 
   def reset!
     @_ran_once = false
@@ -46,6 +55,7 @@ module Zip
     @write_zip64_support = false
     @warn_invalid_date = true
     @case_insensitive_match = false
+    @validate_entry_sizes = false
   end
 
   def setup

data/samples/example_recursive.rb

@@ -19,37 +19,36 @@ class ZipFileGenerator
 
   # Zip the input directory.
   def write
-    entries = Dir.entries(@input_dir) - %w(. ..)
+    entries = Dir.entries(@input_dir) - %w[. ..]
 
-    ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |io|
-      write_entries entries, '', io
+    ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |zipfile|
+      write_entries entries, '', zipfile
     end
   end
 
   private
 
   # A helper method to make the recursion work.
-  def write_entries(entries, path, io)
+  def write_entries(entries, path, zipfile)
     entries.each do |e|
-      zip_file_path = path == '' ? e : File.join(path, e)
-      disk_file_path = File.join(@input_dir, zip_file_path)
-      puts "Deflating #{disk_file_path}"
+      zipfile_path = path == '' ? e : File.join(path, e)
+      disk_file_path = File.join(@input_dir, zipfile_path)
 
       if File.directory? disk_file_path
-        recursively_deflate_directory(disk_file_path, io, zip_file_path)
+        recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
       else
-        put_into_archive(disk_file_path, io, zip_file_path)
+        put_into_archive(disk_file_path, zipfile, zipfile_path)
       end
     end
   end
 
-  def recursively_deflate_directory(disk_file_path, io, zip_file_path)
-    io.mkdir zip_file_path
-    subdir = Dir.entries(disk_file_path) - %w(. ..)
-    write_entries subdir, zip_file_path, io
+  def recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
+    zipfile.mkdir zipfile_path
+    subdir = Dir.entries(disk_file_path) - %w[. ..]
+    write_entries subdir, zipfile_path, zipfile
   end
 
-  def put_into_archive(disk_file_path, io, zip_file_path)
-    io.add(zip_file_path, disk_file_path)
+  def put_into_archive(disk_file_path, zipfile, zipfile_path)
+    zipfile.add(zipfile_path, disk_file_path)
   end
 end

data/samples/gtk_ruby_zip.rb

@@ -31,7 +31,7 @@ class MainApp < Gtk::Window
     sw.set_policy(Gtk::POLICY_AUTOMATIC, Gtk::POLICY_AUTOMATIC)
     box.pack_start(sw, true, true, 0)
 
-    @clist = Gtk::CList.new(%w(Name Size Compression))
+    @clist = Gtk::CList.new(%w[Name Size Compression])
     @clist.set_selection_mode(Gtk::SELECTION_BROWSE)
     @clist.set_column_width(0, 120)
     @clist.set_column_width(1, 120)

data/samples/qtzip.rb

@@ -65,7 +65,7 @@ class ZipDialog < ZipDialogUI
     end
     puts "selected_items.size = #{selected_items.size}"
     puts "unselected_items.size = #{unselected_items.size}"
-    items = selected_items.size > 0 ? selected_items : unselected_items
+    items = !selected_items.empty? ? selected_items : unselected_items
     puts "items.size = #{items.size}"
 
     d = Qt::FileDialog.get_existing_directory(nil, self)

data/samples/zipfind.rb

@@ -31,7 +31,7 @@ module Zip
   end
 end
 
-if __FILE__ == $0
+if $0 == __FILE__
   module ZipFindConsoleRunner
     PATH_ARG_INDEX = 0
     FILENAME_PATTERN_ARG_INDEX = 1
@@ -47,7 +47,7 @@ if __FILE__ == $0
     end
 
     def self.check_args(args)
-      if (args.size != 3)
+      if args.size != 3
         usage
         exit
       end

data/test/central_directory_entry_test.rb

@@ -2,7 +2,7 @@ require 'test_helper'
 
 class ZipCentralDirectoryEntryTest < MiniTest::Test
   def test_read_from_stream
-    File.open('test/data/testDirectory.bin', 'rb') do  |file|
+    File.open('test/data/testDirectory.bin', 'rb') do |file|
       entry = ::Zip::Entry.read_c_dir_entry(file)
 
       assert_equal('longAscii.txt', entry.name)

data/test/data/path_traversal/Makefile

@@ -0,0 +1,10 @@
+# Based on 'relative2' in https://github.com/jwilk/path-traversal-samples,
+# but create the local `tmp` folder before adding the symlink. Otherwise
+# we may bail out before we get to trying to create the file.
+all: relative1.zip
+relative1.zip:
+	rm -f $(@)
+	mkdir -p -m 755 tmp/tmp
+	umask 022 && echo moo > moo
+	cd tmp && zip -X ../$(@) tmp tmp/../../moo
+	rm -rf tmp moo

data/test/data/path_traversal/jwilk/README.md

@@ -0,0 +1,5 @@
+# Path Traversal Samples
+
+Copied from https://github.com/jwilk/path-traversal-samples on 2018-08-26.
+
+License: MIT

data/test/data/path_traversal/tuzovakaoff/README.md

@@ -0,0 +1,3 @@
+# Path Traversal Samples
+
+Copied from https://github.com/tuzovakaoff/zip_path_traversal on 2018-08-25.

data/test/errors_test.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 require 'test_helper'
 
 class ErrorsTest < MiniTest::Test

data/test/file_extract_test.rb

@@ -10,6 +10,10 @@ class ZipFileExtractTest < MiniTest::Test
     ::File.delete(EXTRACTED_FILENAME) if ::File.exist?(EXTRACTED_FILENAME)
   end
 
+  def teardown
+    ::Zip.reset!
+  end
+
   def test_extract
     ::Zip::File.open(TEST_ZIP.zip_name) do |zf|
       zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
@@ -80,4 +84,62 @@ class ZipFileExtractTest < MiniTest::Test
     end
     assert(!File.exist?(outFile))
   end
+
+  def test_extract_incorrect_size
+    # The uncompressed size fields in the zip file cannot be trusted. This makes
+    # it harder for callers to validate the sizes of the files they are
+    # extracting, which can lead to denial of service. See also
+    # https://en.wikipedia.org/wiki/Zip_bomb
+    Dir.mktmpdir do |tmp|
+      real_zip = File.join(tmp, 'real.zip')
+      fake_zip = File.join(tmp, 'fake.zip')
+      file_name = 'a'
+      true_size = 500_000
+      fake_size = 1
+
+      ::Zip::File.open(real_zip, ::Zip::File::CREATE) do |zf|
+        zf.get_output_stream(file_name) do |os|
+          os.write 'a' * true_size
+        end
+      end
+
+      compressed_size = nil
+      ::Zip::File.open(real_zip) do |zf|
+        a_entry = zf.find_entry(file_name)
+        compressed_size = a_entry.compressed_size
+        assert_equal true_size, a_entry.size
+      end
+
+      true_size_bytes = [compressed_size, true_size, file_name.size].pack('LLS')
+      fake_size_bytes = [compressed_size, fake_size, file_name.size].pack('LLS')
+
+      data = File.binread(real_zip)
+      assert data.include?(true_size_bytes)
+      data.gsub! true_size_bytes, fake_size_bytes
+
+      File.open(fake_zip, 'wb') do |file|
+        file.write data
+      end
+
+      Dir.chdir tmp do
+        ::Zip::File.open(fake_zip) do |zf|
+          a_entry = zf.find_entry(file_name)
+          assert_equal fake_size, a_entry.size
+
+          ::Zip.validate_entry_sizes = false
+          a_entry.extract
+          assert_equal true_size, File.size(file_name)
+          FileUtils.rm file_name
+
+          ::Zip.validate_entry_sizes = true
+          error = assert_raises ::Zip::EntrySizeError do
+            a_entry.extract
+          end
+          assert_equal \
+            'Entry a should be 1B but is larger when inflated',
+            error.message
+        end
+      end
+    end
+  end
 end