rubyzip 1.2.2 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 898367588fc593bddd565ee8626c75cfbcddfce2
-  data.tar.gz: 24d90fd344a11d8cf3b8098c459eb2c765e933e7
+SHA256:
+  metadata.gz: 7861f60d52fbe54891831d9239df3e3e927a33f1f2d00abcb7b2693a8c01097d
+  data.tar.gz: c04844369dbc75f40583f3d8aab34cbf2cfcce293b3c30570fa76208755a3157
 SHA512:
-  metadata.gz: 4f00c8c74720ba3bf103596601400f57e89d03cdd90b4423debd4c96ed6150a3db0fa8f7407201657cf6a7ee0b2e6586c7a284e1398dd1cf44c523799e1b25be
-  data.tar.gz: 3a434114b84d7b109e26aec4821b395ad100efda591ad004656c6b5fd8cdba3740e50c171409c726a9770996e0815ef0324c87063d975024642c6f89ba56377e
+  metadata.gz: f9fa8a9f92c4789f06a1691eee6201918a753f1356eb6f2ef99fe9c777d46d661b7a8f96ce71b7a18406a4e1a4098f81b8a282babe2a7284ae0c8c04d03cf758
+  data.tar.gz: e4650b6f572ef4bcdb33cff4bd0c7ddbd399b04278bd644d11ea29defe057510706d15d0b8ac918df28280d13f4bdfec28526aaad258ff52136ce209f29a35dd

data/README.md

@@ -1,4 +1,5 @@
 # rubyzip
+
 [![Gem Version](https://badge.fury.io/rb/rubyzip.svg)](http://badge.fury.io/rb/rubyzip)
 [![Build Status](https://secure.travis-ci.org/rubyzip/rubyzip.svg)](http://travis-ci.org/rubyzip/rubyzip)
 [![Code Climate](https://codeclimate.com/github/rubyzip/rubyzip.svg)](https://codeclimate.com/github/rubyzip/rubyzip)
@@ -19,9 +20,10 @@ gem 'zip-zip' # will load compatibility for old rubyzip API.
 
 ## Requirements
 
-* Ruby 1.9.2 or greater
+- Ruby 1.9.2 or greater
 
 ## Installation
+
 Rubyzip is available on RubyGems:
 
 ```
@@ -59,7 +61,8 @@ end
 ```
 
 ### Zipping a directory recursively
-Copy from [here](https://github.com/rubyzip/rubyzip/blob/05916bf89181e1955118fd3ea059f18acac28cc8/samples/example_recursive.rb )
+
+Copy from [here](https://github.com/rubyzip/rubyzip/blob/9d891f7353e66052283562d3e252fe380bb4b199/samples/example_recursive.rb)
 
 ```ruby
 require 'zip'
@@ -83,7 +86,7 @@ class ZipFileGenerator
 
   # Zip the input directory.
   def write
-    entries = Dir.entries(@input_dir) - %w(. ..)
+    entries = Dir.entries(@input_dir) - %w[. ..]
 
     ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |zipfile|
       write_entries entries, '', zipfile
@@ -97,7 +100,6 @@ class ZipFileGenerator
     entries.each do |e|
       zipfile_path = path == '' ? e : File.join(path, e)
       disk_file_path = File.join(@input_dir, zipfile_path)
-      puts "Deflating #{disk_file_path}"
 
       if File.directory? disk_file_path
         recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
@@ -109,14 +111,12 @@ class ZipFileGenerator
 
   def recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
     zipfile.mkdir zipfile_path
-    subdir = Dir.entries(disk_file_path) - %w(. ..)
+    subdir = Dir.entries(disk_file_path) - %w[. ..]
     write_entries subdir, zipfile_path, zipfile
   end
 
   def put_into_archive(disk_file_path, zipfile, zipfile_path)
-    zipfile.get_output_stream(zipfile_path) do |f|
-      f.write(File.open(disk_file_path, 'rb').read)
-    end
+    zipfile.add(zipfile_path, disk_file_path)
   end
 end
 ```
@@ -152,12 +152,15 @@ When modifying a zip archive the file permissions of the archive are preserved.
 ### Reading a Zip file
 
 ```ruby
+MAX_SIZE = 1024**2 # 1MiB (but of course you can increase this)
 Zip::File.open('foo.zip') do |zip_file|
   # Handle entries one by one
   zip_file.each do |entry|
-    # Extract to file/directory/symlink
     puts "Extracting #{entry.name}"
-    entry.extract(dest_file)
+    raise 'File too large when extracted' if entry.size > MAX_SIZE
+
+    # Extract to file or directory based on name in the archive
+    entry.extract
 
     # Read into memory
     content = entry.get_input_stream.read
@@ -165,6 +168,7 @@ Zip::File.open('foo.zip') do |zip_file|
 
   # Find specific entry
   entry = zip_file.glob('*.csv').first
+  raise 'File too large when extracted' if entry.size > MAX_SIZE
   puts entry.get_input_stream.read
 end
 ```
@@ -177,7 +181,6 @@ But there is one exception when it is not working - General Purpose Flag Bit 3.
 
 > If bit 3 (0x08) of the general-purpose flags field is set, then the CRC-32 and file sizes are not known when the header is written. The fields in the local header are filled with zero, and the CRC-32 and size are appended in a 12-byte structure (optionally preceded by a 4-byte signature) immediately after the compressed data
 
-
 If `::Zip::InputStream` finds such entry in the zip archive it will raise an exception.
 
 ### Password Protection (Experimental)
@@ -220,7 +223,9 @@ File.open(new_path, "wb") {|f| f.write(buffer.string) }
 
 ## Configuration
 
-By default, rubyzip will not overwrite files if they already exist inside of the extracted path.  To change this behavior, you may specify a configuration option like so:
+### Existing Files
+
+By default, rubyzip will not overwrite files if they already exist inside of the extracted path. To change this behavior, you may specify a configuration option like so:
 
 ```ruby
 Zip.on_exists_proc = true
@@ -234,32 +239,82 @@ Additionally, if you want to configure rubyzip to overwrite existing files while
 Zip.continue_on_exists_proc = true
 ```
 
+### Non-ASCII Names
+
 If you want to store non-english names and want to open them on Windows(pre 7) you need to set this option:
 
 ```ruby
 Zip.unicode_names = true
 ```
 
+Sometimes file names inside zip contain non-ASCII characters. If you can assume which encoding was used for such names and want to be able to find such entries using `find_entry` then you can force assumed encoding like so:
+
+```ruby
+Zip.force_entry_names_encoding = 'UTF-8'
+```
+
+Allowed encoding names are the same as accepted by `String#force_encoding`
+
+### Date Validation
+
 Some zip files might have an invalid date format, which will raise a warning. You can hide this warning with the following setting:
 
 ```ruby
 Zip.warn_invalid_date = false
 ```
 
+### Size Validation
+
+**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.**
+
+If you set
+```
+Zip.validate_entry_sizes = true
+```
+then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
+
+```ruby
+MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
+MAX_FILES = 100
+Zip::File.open('foo.zip') do |zip_file|
+  num_files = 0
+  zip_file.each do |entry|
+    num_files += 1 if entry.file?
+    raise 'Too many extracted files' if num_files > MAX_FILES
+    raise 'File too large when extracted' if entry.size > MAX_FILE_SIZE
+    entry.extract
+  end
+end
+```
+
+If you need to extract zip files that report incorrect uncompressed sizes and you really trust them not too be too large, you can disable this setting with
+```ruby
+Zip.validate_entry_sizes = false
+```
+
+Note that if you use the lower level `Zip::InputStream` interface, `rubyzip` does *not* check the entry `size`s. In this case, the caller is responsible for making sure it does not read more data than expected from the input stream.
+
+### Default Compression
+
 You can set the default compression level like so:
 
 ```ruby
 Zip.default_compression = Zlib::DEFAULT_COMPRESSION
 ```
+
 It defaults to `Zlib::DEFAULT_COMPRESSION`. Possible values are `Zlib::BEST_COMPRESSION`, `Zlib::DEFAULT_COMPRESSION` and `Zlib::NO_COMPRESSION`
 
-Sometimes file names inside zip contain non-ASCII characters. If you can assume which encoding was used for such names and want to be able to find such entries using `find_entry` then you can force assumed encoding like so:
+### Zip64 Support
+
+By default, Zip64 support is disabled for writing. To enable it do this:
 
 ```ruby
-Zip.force_entry_names_encoding = 'UTF-8'
+Zip.write_zip64_support = true
 ```
 
-Allowed encoding names are the same as accepted by `String#force_encoding`
+_NOTE_: If you will enable Zip64 writing then you will need zip extractor with Zip64 support to extract archive.
+
+### Block Form
 
 You can set multiple settings at the same time by using a block:
 
@@ -272,14 +327,6 @@ You can set multiple settings at the same time by using a block:
   end
 ```
 
-By default, Zip64 support is disabled for writing. To enable it do this:
-
-```ruby
-Zip.write_zip64_support = true
-```
-
-_NOTE_: If you will enable Zip64 writing then you will need zip extractor with Zip64 support to extract archive.
-
 ## Developing
 
 To run the test you need to do this:

data/lib/zip.rb

@@ -42,7 +42,8 @@ module Zip
                 :write_zip64_support,
                 :warn_invalid_date,
                 :case_insensitive_match,
-                :force_entry_names_encoding
+                :force_entry_names_encoding,
+                :validate_entry_sizes
 
   def reset!
     @_ran_once = false
@@ -54,6 +55,7 @@ module Zip
     @write_zip64_support = false
     @warn_invalid_date = true
     @case_insensitive_match = false
+    @validate_entry_sizes = false
   end
 
   def setup

data/lib/zip/entry.rb

@@ -1,3 +1,4 @@
+require 'pathname'
 module Zip
   class Entry
     STORED   = 0
@@ -117,7 +118,7 @@ module Zip
       return false unless cleanpath.relative?
       root = ::File::SEPARATOR
       naive_expanded_path = ::File.join(root, cleanpath.to_s)
-      cleanpath.expand_path(root).to_s == naive_expanded_path
+      ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
     end
 
     def local_entry_offset #:nodoc:all
@@ -275,10 +276,10 @@ module Zip
       zip64 = @extra['Zip64']
       [::Zip::LOCAL_ENTRY_SIGNATURE,
        @version_needed_to_extract, # version needed to extract
-       @gp_flags, # @gp_flags                  ,
+       @gp_flags, # @gp_flags
        @compression_method,
-       @time.to_binary_dos_time, # @last_mod_time              ,
-       @time.to_binary_dos_date, # @last_mod_date              ,
+       @time.to_binary_dos_time, # @last_mod_time
+       @time.to_binary_dos_date, # @last_mod_date
        @crc,
        zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
        zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
@@ -432,11 +433,11 @@ module Zip
         @header_signature,
         @version, # version of encoding software
         @fstype, # filesystem type
-        @version_needed_to_extract, # @versionNeededToExtract           ,
-        @gp_flags, # @gp_flags                          ,
+        @version_needed_to_extract, # @versionNeededToExtract
+        @gp_flags, # @gp_flags
         @compression_method,
-        @time.to_binary_dos_time, # @last_mod_time                      ,
-        @time.to_binary_dos_date, # @last_mod_date                      ,
+        @time.to_binary_dos_time, # @last_mod_time
+        @time.to_binary_dos_date, # @last_mod_date
         @crc,
         zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
         zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
@@ -602,9 +603,21 @@ module Zip
         get_input_stream do |is|
           set_extra_attributes_on_path(dest_path)
 
-          buf = ''
+          bytes_written = 0
+          warned = false
+          buf = ''.dup
           while (buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf))
             os << buf
+            bytes_written += buf.bytesize
+            if bytes_written > size && !warned
+              message = "Entry #{name} should be #{size}B but is larger when inflated"
+              if ::Zip.validate_entry_sizes
+                raise ::Zip::EntrySizeError, message
+              else
+                puts "WARNING: #{message}"
+                warned = true
+              end
+            end
           end
         end
       end

data/lib/zip/errors.rb

@@ -4,6 +4,7 @@ module Zip
   class DestinationFileExistsError < Error; end
   class CompressionMethodError < Error; end
   class EntryNameError < Error; end
+  class EntrySizeError < Error; end
   class InternalError < Error; end
   class GPFBit3Error < Error; end
 

data/lib/zip/extra_field.rb

@@ -26,7 +26,7 @@ module Zip
     end
 
     def create_unknown_item
-      s = ''
+      s = ''.dup
       class << s
         alias_method :to_c_dir_bin, :to_s
         alias_method :to_local_bin, :to_s

data/lib/zip/file.rb

@@ -64,24 +64,38 @@ module Zip
 
     # Opens a zip archive. Pass true as the second parameter to create
     # a new archive if it doesn't exist already.
-    def initialize(file_name, create = false, buffer = false, options = {})
+    def initialize(path_or_io, create = false, buffer = false, options = {})
       super()
-      @name    = file_name
+      @name    = path_or_io.respond_to?(:path) ? path_or_io.path : path_or_io
       @comment = ''
       @create  = create ? true : false # allow any truthy value to mean true
-      if !buffer && ::File.size?(file_name)
+
+      if ::File.size?(@name.to_s)
+        # There is a file, which exists, that is associated with this zip.
         @create = false
-        @file_permissions = ::File.stat(file_name).mode
-        ::File.open(name, 'rb') do |f|
-          read_from_stream(f)
+        @file_permissions = ::File.stat(@name).mode
+
+        if buffer
+          read_from_stream(path_or_io)
+        else
+          ::File.open(@name, 'rb') do |f|
+            read_from_stream(f)
+          end
         end
+      elsif buffer && path_or_io.size > 0
+        # This zip is probably a non-empty StringIO.
+        read_from_stream(path_or_io)
       elsif @create
+        # This zip is completely new/empty and is to be created.
         @entry_set = EntrySet.new
-      elsif ::File.zero?(file_name)
-        raise Error, "File #{file_name} has zero size. Did you mean to pass the create flag?"
+      elsif ::File.zero?(@name)
+        # A file exists, but it is empty.
+        raise Error, "File #{@name} has zero size. Did you mean to pass the create flag?"
       else
-        raise Error, "File #{file_name} not found"
+        # Everything is wrong.
+        raise Error, "File #{@name} not found"
       end
+
       @stored_entries      = @entry_set.dup
       @stored_comment      = @comment
       @restore_ownership   = options[:restore_ownership]    || false
@@ -119,17 +133,16 @@ module Zip
         unless IO_METHODS.map { |method| io.respond_to?(method) }.all? || io.is_a?(String)
           raise "Zip::File.open_buffer expects a String or IO-like argument (responds to #{IO_METHODS.join(', ')}). Found: #{io.class}"
         end
-        if io.is_a?(::String)
-          require 'stringio'
-          io = ::StringIO.new(io)
-        elsif io.respond_to?(:binmode)
-          # https://github.com/rubyzip/rubyzip/issues/119
-          io.binmode
-        end
+
+        io = ::StringIO.new(io) if io.is_a?(::String)
+
+        # https://github.com/rubyzip/rubyzip/issues/119
+        io.binmode if io.respond_to?(:binmode)
+
         zf = ::Zip::File.new(io, true, true, options)
-        zf.read_from_stream(io)
         return zf unless block_given?
         yield zf
+
         begin
           zf.write_buffer(io)
         rescue IOError => e
@@ -274,6 +287,13 @@ module Zip
       @entry_set << new_entry
     end
 
+    # Convenience method for adding the contents of a file to the archive
+    # in Stored format (uncompressed)
+    def add_stored(entry, src_path, &continue_on_exists_proc)
+      entry = ::Zip::Entry.new(@name, entry.to_s, nil, nil, nil, nil, ::Zip::Entry::STORED)
+      add(entry, src_path, &continue_on_exists_proc)
+    end
+
     # Removes the specified entry.
     def remove(entry)
       @entry_set.delete(get_entry(entry))

data/lib/zip/inflater.rb

@@ -3,7 +3,7 @@ module Zip
     def initialize(input_stream, decrypter = NullDecrypter.new)
       super(input_stream)
       @zlib_inflater           = ::Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      @output_buffer           = ''
+      @output_buffer           = ''.dup
       @has_returned_empty_string = false
       @decrypter = decrypter
     end

data/lib/zip/version.rb

@@ -1,3 +1,3 @@
 module Zip
-  VERSION = '1.2.2'
+  VERSION = '1.3.0'
 end

data/test/file_extract_test.rb

@@ -10,6 +10,10 @@ class ZipFileExtractTest < MiniTest::Test
     ::File.delete(EXTRACTED_FILENAME) if ::File.exist?(EXTRACTED_FILENAME)
   end
 
+  def teardown
+    ::Zip.reset!
+  end
+
   def test_extract
     ::Zip::File.open(TEST_ZIP.zip_name) do |zf|
       zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
@@ -80,4 +84,62 @@ class ZipFileExtractTest < MiniTest::Test
     end
     assert(!File.exist?(outFile))
   end
+
+  def test_extract_incorrect_size
+    # The uncompressed size fields in the zip file cannot be trusted. This makes
+    # it harder for callers to validate the sizes of the files they are
+    # extracting, which can lead to denial of service. See also
+    # https://en.wikipedia.org/wiki/Zip_bomb
+    Dir.mktmpdir do |tmp|
+      real_zip = File.join(tmp, 'real.zip')
+      fake_zip = File.join(tmp, 'fake.zip')
+      file_name = 'a'
+      true_size = 500_000
+      fake_size = 1
+
+      ::Zip::File.open(real_zip, ::Zip::File::CREATE) do |zf|
+        zf.get_output_stream(file_name) do |os|
+          os.write 'a' * true_size
+        end
+      end
+
+      compressed_size = nil
+      ::Zip::File.open(real_zip) do |zf|
+        a_entry = zf.find_entry(file_name)
+        compressed_size = a_entry.compressed_size
+        assert_equal true_size, a_entry.size
+      end
+
+      true_size_bytes = [compressed_size, true_size, file_name.size].pack('LLS')
+      fake_size_bytes = [compressed_size, fake_size, file_name.size].pack('LLS')
+
+      data = File.binread(real_zip)
+      assert data.include?(true_size_bytes)
+      data.gsub! true_size_bytes, fake_size_bytes
+
+      File.open(fake_zip, 'wb') do |file|
+        file.write data
+      end
+
+      Dir.chdir tmp do
+        ::Zip::File.open(fake_zip) do |zf|
+          a_entry = zf.find_entry(file_name)
+          assert_equal fake_size, a_entry.size
+
+          ::Zip.validate_entry_sizes = false
+          a_entry.extract
+          assert_equal true_size, File.size(file_name)
+          FileUtils.rm file_name
+
+          ::Zip.validate_entry_sizes = true
+          error = assert_raises ::Zip::EntrySizeError do
+            a_entry.extract
+          end
+          assert_equal \
+            'Entry a should be 1B but is larger when inflated',
+            error.message
+        end
+      end
+    end
+  end
 end

data/test/file_test.rb

@@ -103,6 +103,13 @@ class ZipFileTest < MiniTest::Test
     end
   end
 
+  def test_open_buffer_with_string
+    string = File.read('test/data/rubycode.zip')
+    ::Zip::File.open_buffer string do |zf|
+      assert zf.entries.map { |e| e.name }.include?('zippedruby1.rb')
+    end
+  end
+
   def test_open_buffer_with_stringio
     string_io = StringIO.new File.read('test/data/rubycode.zip')
     ::Zip::File.open_buffer string_io do |zf|
@@ -113,14 +120,52 @@ class ZipFileTest < MiniTest::Test
   def test_close_buffer_with_stringio
     string_io = StringIO.new File.read('test/data/rubycode.zip')
     zf = ::Zip::File.open_buffer string_io
-    assert(zf.close || true) # Poor man's refute_raises
+    assert_nil zf.close
+  end
+
+  def test_open_buffer_no_op_does_not_change_file
+    Dir.mktmpdir do |tmp|
+      test_zip = File.join(tmp, 'test.zip')
+      FileUtils.cp 'test/data/rubycode.zip', test_zip
+
+      # Note: this may change the file if it is opened with r+b instead of rb.
+      # The 'extra fields' in this particular zip file get reordered.
+      File.open(test_zip, 'rb') do |file|
+        Zip::File.open_buffer(file) do |zf|
+          nil # do nothing
+        end
+      end
+
+      assert_equal \
+        File.binread('test/data/rubycode.zip'),
+        File.binread(test_zip)
+    end
+  end
+
+  def test_open_buffer_close_does_not_change_file
+    Dir.mktmpdir do |tmp|
+      test_zip = File.join(tmp, 'test.zip')
+      FileUtils.cp 'test/data/rubycode.zip', test_zip
+
+      File.open(test_zip, 'rb') do |file|
+        zf = Zip::File.open_buffer(file)
+        refute zf.commit_required?
+        assert_nil zf.close
+      end
+
+      assert_equal \
+        File.binread('test/data/rubycode.zip'),
+        File.binread(test_zip)
+    end
   end
 
-  def test_close_buffer_with_io
-    f = File.open('test/data/rubycode.zip')
-    zf = ::Zip::File.open_buffer f
-    assert zf.close
-    f.close
+  def test_open_buffer_with_io_and_block
+    File.open('test/data/rubycode.zip') do |io|
+      io.set_encoding(Encoding::BINARY) # not strictly required but can be set
+      Zip::File.open_buffer(io) do |zip_io|
+        # left empty on purpose
+      end
+    end
   end
 
   def test_open_buffer_without_block
@@ -159,6 +204,26 @@ class ZipFileTest < MiniTest::Test
                                 zfRead.get_input_stream(entryName) { |zis| zis.read })
   end
 
+  def test_add_stored
+    srcFile = 'test/data/file2.txt'
+    entryName = 'newEntryName.rb'
+    assert(::File.exist?(srcFile))
+    zf = ::Zip::File.new(EMPTY_FILENAME, ::Zip::File::CREATE)
+    zf.add_stored(entryName, srcFile)
+    zf.close
+
+    zfRead = ::Zip::File.new(EMPTY_FILENAME)
+    entry = zfRead.entries.first
+    assert_equal('', zfRead.comment)
+    assert_equal(1, zfRead.entries.length)
+    assert_equal(entryName, entry.name)
+    assert_equal(File.size(srcFile), entry.size)
+    assert_equal(entry.size, entry.compressed_size)
+    assert_equal(::Zip::Entry::STORED, entry.compression_method)
+    AssertEntry.assert_contents(srcFile,
+                                zfRead.get_input_stream(entryName) { |zis| zis.read })
+  end
+
   def test_recover_permissions_after_add_files_to_archive
     srcZip = TEST_ZIP.zip_name
     ::File.chmod(0o664, srcZip)

data/test/path_traversal_test.rb

@@ -131,4 +131,11 @@ class PathTraversalTest < MiniTest::Test
       refute File.exist?('/tmp/file.txt')
     end
   end
+
+  def test_entry_name_with_tilde
+    in_tmpdir do
+      extract_path_traversal_zip 'tilde.zip'
+      assert File.exist?('~tilde~')
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubyzip
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 1.3.0
 platform: ruby
 authors:
 - Alexander Simonov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-31 00:00:00.000000000 Z
+date: 2019-09-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -164,6 +164,7 @@ files:
 - test/data/path_traversal/jwilk/relative2.zip
 - test/data/path_traversal/jwilk/symlink.zip
 - test/data/path_traversal/relative1.zip
+- test/data/path_traversal/tilde.zip
 - test/data/path_traversal/tuzovakaoff/README.md
 - test/data/path_traversal/tuzovakaoff/absolutepath.zip
 - test/data/path_traversal/tuzovakaoff/symlink.zip
@@ -210,7 +211,12 @@ files:
 homepage: http://github.com/rubyzip/rubyzip
 licenses:
 - BSD 2-Clause
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/rubyzip/rubyzip/issues
+  changelog_uri: https://github.com/rubyzip/rubyzip/blob/v1.3.0/Changelog.md
+  documentation_uri: https://www.rubydoc.info/gems/rubyzip/1.3.0
+  source_code_uri: https://github.com/rubyzip/rubyzip/tree/v1.3.0
+  wiki_uri: https://github.com/rubyzip/rubyzip/wiki
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -226,8 +232,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: rubyzip is a ruby module for reading and writing zip files
@@ -280,6 +285,7 @@ test_files:
 - test/data/rubycode2.zip
 - test/data/mimetype
 - test/data/zipWithEncryption.zip
+- test/data/path_traversal/tilde.zip
 - test/data/path_traversal/Makefile
 - test/data/path_traversal/relative1.zip
 - test/data/path_traversal/jwilk/dirsymlink.zip