From 9c468f30f38d09451e5a65edfff277cfe381fd49 Mon Sep 17 00:00:00 2001
From: John Lees-Miller <jdleesmiller@gmail.com>
Date: Sun, 26 Aug 2018 10:00:35 +0100
Subject: [PATCH] Add jwilk's path traversal tests

---
 .../jwilk-path-traversal-samples/README.md    |   5 +
 .../absolute1.zip                             | Bin 0 -> 118 bytes
 .../absolute2.zip                             | Bin 0 -> 120 bytes
 .../dirsymlink.zip                            | Bin 0 -> 202 bytes
 .../dirsymlink2a.zip                          | Bin 0 -> 287 bytes
 .../dirsymlink2b.zip                          | Bin 0 -> 291 bytes
 .../relative0.zip                             | Bin 0 -> 114 bytes
 .../relative2.zip                             | Bin 0 -> 128 bytes
 .../jwilk-path-traversal-samples/symlink.zip  | Bin 0 -> 198 bytes
 test/path_traversal_test.rb                   |  88 ++++++++++++++++++
 10 files changed, 93 insertions(+)
 create mode 100644 test/data/jwilk-path-traversal-samples/README.md
 create mode 100644 test/data/jwilk-path-traversal-samples/absolute1.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/absolute2.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/dirsymlink.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/dirsymlink2a.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/dirsymlink2b.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/relative0.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/relative2.zip
 create mode 100644 test/data/jwilk-path-traversal-samples/symlink.zip
 create mode 100644 test/path_traversal_test.rb

diff --git a/test/data/jwilk-path-traversal-samples/README.md b/test/data/jwilk-path-traversal-samples/README.md
new file mode 100644
index 00000000..2ecceb23
--- /dev/null
+++ b/test/data/jwilk-path-traversal-samples/README.md
@@ -0,0 +1,5 @@
+# Path Traversal Samples
+
+Copied from https://github.com/jwilk/path-traversal-samples on 2018-08-26.
+
+License: MIT
diff --git a/test/data/jwilk-path-traversal-samples/absolute1.zip b/test/data/jwilk-path-traversal-samples/absolute1.zip
new file mode 100644
index 0000000000000000000000000000000000000000..27c615d98bae9a331eedd1425f5830c40812fd2c
GIT binary patch
literal 118
zcmWIWW@h1H0D<3gj{B^9WW16E$Od5!Al5I*Ezr-+&j%u|0B=SnIcD5yfyx;efp|$H
Why~Lb;LXYg;xhuF8IaZjaTox`+Z8VW

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/absolute2.zip b/test/data/jwilk-path-traversal-samples/absolute2.zip
new file mode 100644
index 0000000000000000000000000000000000000000..c82c14eaa68624f85dd0f8ed63da5cef56c0bb24
GIT binary patch
literal 120
zcmWIWW@h1H0D<3gj{B^9WW16E$Od6fAlBC}$t}>&&CdrSt^jXFCOKx@ih=4G7=d_6
YBZvjp8sN>!1`=QdLUSOk4dO5W0Q9UCkpKVy

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/dirsymlink.zip b/test/data/jwilk-path-traversal-samples/dirsymlink.zip
new file mode 100644
index 0000000000000000000000000000000000000000..978b5d8a061316af9e1d7de091032281dee5e515
GIT binary patch
literal 202
zcmWIWW@h1H0D<3gj{E2x+0DfQWP>m>5SQc@=mT*8ilUW|j90=Gu|pN*=H~+uSAaJo
zlN>W{^MI<s;QvAp1vVK~1G?EDWsE?)q)`>3K_6&MfHx}}NP-Cn(}1)eh{FH?U=Sr)

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/dirsymlink2a.zip b/test/data/jwilk-path-traversal-samples/dirsymlink2a.zip
new file mode 100644
index 0000000000000000000000000000000000000000..443deede33be9e5eaf90b496296becca2e181d52
GIT binary patch
literal 287
zcmWIWW@h1H0D<3gj{7)0y28f@WP>m>5GR)w=>?#uICw8jn++%f!XOm|iA6v~`g&-}
zRz5Ob$pVxHVRncz{oMR~AmR$}W@M6M#%(81H5mL~2%><7qiaBS0z^3j!~ca!Kqk;Z
k=o-)+1JVHU;gUvAhz5|;0=!v4egb-mnPEDRE&_2F0PO@eP5=M^

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/dirsymlink2b.zip b/test/data/jwilk-path-traversal-samples/dirsymlink2b.zip
new file mode 100644
index 0000000000000000000000000000000000000000..5a5a12b4b6bb08eb331850e1a2547fb78434d1a2
GIT binary patch
literal 291
zcmWIWW@h1H0D<3gj{7)0y28f@WP>m>5GR)w=>?#ukP+jU#sriBVRncL{er|IJv3!2
z9~rM?0ZM}~NEuLxer|p~5OD=~Gcw6B<F*s18Vvp~1W`a2pld*P0z^3j!~ca!5Dg#)
jp=&~S5J(fqmrEKwfh5#<0p6@^APHt5oDHOlKpX}D8$~q(

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/relative0.zip b/test/data/jwilk-path-traversal-samples/relative0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..d27a0d08f03edd0477811b0f3f5c2c2d6a18b9ba
GIT binary patch
literal 114
zcmWIWW@h1H0D<3gj{B^9WW16E$Od6HAlB2<&&|&VBCY^$MkYCC+$w>J85n_hNh62_
V(HG#&3Ni#J&d6W_q%}Ys1^^b>65jv-

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/relative2.zip b/test/data/jwilk-path-traversal-samples/relative2.zip
new file mode 100644
index 0000000000000000000000000000000000000000..8957028d9597f9658eae2df18f0e138ead49714f
GIT binary patch
literal 128
zcmWIWW@h1H0D<3gj{B^9WW16E$Od6vATG%*(AU!gq1^m@AmR$}W@M6M#;pOUhk+4@
Zmo$P{DB1(OS=m5>j6i4&r1e1@1^~L>7ZCse

literal 0
HcmV?d00001

diff --git a/test/data/jwilk-path-traversal-samples/symlink.zip b/test/data/jwilk-path-traversal-samples/symlink.zip
new file mode 100644
index 0000000000000000000000000000000000000000..edaa7526aeb60c51a2f8140ee9b34767964a7cc4
GIT binary patch
literal 198
zcmWIWW@h1H0D<3gj{8J;-<{3@WP>m>5a;IS>zCvf=mY5h6oo4v8LwmkDga@qLZBM1
x0B=SnIcD7E0ab&+|Ain5Y$~b-baO$<7=d_6qb5uPD;r3V2?&#bv>%AW001u9B$EID

literal 0
HcmV?d00001

diff --git a/test/path_traversal_test.rb b/test/path_traversal_test.rb
new file mode 100644
index 00000000..ab8269b7
--- /dev/null
+++ b/test/path_traversal_test.rb
@@ -0,0 +1,88 @@
+class PathTraversalTest < MiniTest::Test
+  TEST_FILE_ROOT = File.absolute_path('test/data/jwilk-path-traversal-samples')
+
+  def setup
+    FileUtils.rm_f '/tmp/moo' # with apologies to anyone using this file
+  end
+
+  def extract_path_traversal_zip(name)
+    Zip::File.open(File.join(TEST_FILE_ROOT, name)) do |zip_file|
+      zip_file.each do |entry|
+        entry.extract
+      end
+    end
+  end
+
+  def in_tmpdir
+    Dir.mktmpdir do |tmp|
+      test_path = File.join(tmp, 'test')
+      Dir.mkdir test_path
+      Dir.chdir(test_path) do
+        yield
+      end
+    end
+  end
+
+  def test_leading_slash
+    in_tmpdir do
+      extract_path_traversal_zip 'absolute1.zip'
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_multiple_leading_slashes
+    in_tmpdir do
+      extract_path_traversal_zip 'absolute2.zip'
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_leading_dot_dot
+    in_tmpdir do
+      extract_path_traversal_zip 'relative0.zip'
+      assert !File.exist?('../moo')
+    end
+  end
+
+  def test_non_leading_dot_dot
+    in_tmpdir do
+      extract_path_traversal_zip 'relative2.zip'
+      assert !File.exist?('../moo')
+    end
+  end
+
+  def test_file_symlink
+    in_tmpdir do
+      extract_path_traversal_zip 'symlink.zip'
+      assert File.exist?('moo')
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_directory_symlink
+    in_tmpdir do
+      extract_path_traversal_zip 'dirsymlink.zip'
+      assert !File.exist?('/tmp/moo')
+    end
+  end
+
+  def test_two_directory_symlinks_a
+    in_tmpdir do
+      # Can't create par/moo because the symlink par is skipped.
+      assert_raises Errno::ENOENT do
+        extract_path_traversal_zip 'dirsymlink2a.zip'
+      end
+      assert File.exist?('cur')
+      assert_equal '.', File.readlink('cur')
+    end
+  end
+
+  def test_two_directory_symlinks_b
+    in_tmpdir do
+      extract_path_traversal_zip 'dirsymlink2b.zip'
+      assert File.exist?('cur')
+      assert_equal '.', File.readlink('cur')
+      assert !File.exist?('../moo')
+    end
+  end
+end