Skip to content

Commit

Permalink
Add unit test to show that we handle tars safely
Browse files Browse the repository at this point in the history
  • Loading branch information
mwhooker committed May 25, 2018
1 parent cd6390c commit 788418c
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 0 deletions.
Binary file not shown.
8 changes: 8 additions & 0 deletions post-processor/vagrant/virtualbox.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,15 @@ func DecompressOva(dir, src string) error {
if hdr == nil || err == io.EOF {
break
}
if err != nil {
return err
}

// We use the fileinfo to get the file name because we are not
// expecting path information as from the tar header. It's important
// that we not use the path name from the tar header without checking
// for the presence of `..`. If we accidentally allow for that, we can
// open ourselves up to a path traversal vulnerability.
info := hdr.FileInfo()

// Shouldn't be any directories, skip them
Expand Down
18 changes: 18 additions & 0 deletions post-processor/vagrant/virtualbox_test.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,27 @@
package vagrant

import (
"io/ioutil"
"os"
"path/filepath"
"testing"

"github.com/stretchr/testify/assert"
)

func TestVBoxProvider_impl(t *testing.T) {
var _ Provider = new(VBoxProvider)
}

func TestDecomressOVA(t *testing.T) {
td, err := ioutil.TempDir("", "pp-vagrant-virtualbox")
assert.NoError(t, err)
fixture := "../../common/test-fixtures/decompress-tar/outside_parent.tar"
err = DecompressOva(td, fixture)
assert.NoError(t, err)
_, err = os.Stat(filepath.Join(filepath.Base(td), "demo.poc"))
assert.Error(t, err)
_, err = os.Stat(filepath.Join(td, "demo.poc"))
assert.NoError(t, err)
os.RemoveAll(td)
}

0 comments on commit 788418c

Please sign in to comment.