jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

uploads: allow uploading .zip, .rar., and .7z files from disk.

Browse Source 
Allow uploading .zip, .rar, and .7z files from disk. The archive will be extracted and the images
inside will be uploaded.

This only works for archive files uploaded from disk, not from a source URL.

Post source URLs will look something like this: "file://foo.zip/1.jpg", "file://foo.zip/2.jpg", etc.
Sometimes artists uses Shift JIS or other encodings instead of UTF-8 for filenames. In these cases
we just assume the filename is UTF-8 and replace invalid characters with '?', so filenames might be
wrong in some cases.

There are various protections to prevent uploading malicious archive files:

* Archives with more than 100 files aren't allowed.
* Archives that decompress to more than 100MB aren't allowed.
* Archives with filenames containing '..' components aren't allowed (e.g. '../../../../../etc/passwd').
* Archives with filenames containing absolute paths aren't allowed (e.g. '/etc/passwd').
* Archives containing symlinks aren't allowed (e.g. 'foo -> /etc/passwd').
* Archive types other than .zip, .rar, and .7z aren't allowed (e.g. .tar.gz, .cpio).
* File permissions, owners, and other metadata are ignored.

Partial fix for #5340: Add support for extracting archive attachments from certain sources
This commit is contained in:
evazion
2022-11-16 01:53:50 -06:00
parent d791924aad
commit 2deae38a4e
14 changed files with 232 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
test/unit/danbooru_archive_test.rb
View File

@@ -117,7 +117,8 @@ class DanbooruArchiveTest < ActiveSupport::TestCase
assert_equal("ZIP 2.0 (uncompressed)", Danbooru::Archive.open("test/files/archive/ugoira.zip").format)
assert_equal("RAR5", Danbooru::Archive.open("test/files/archive/ugoira.rar").format)
assert_equal("7-Zip", Danbooru::Archive.open("test/files/archive/ugoira.7z").format)
assert_equal("7-Zip", Danbooru::Archive.open("test/files/archive/ugoira.tar.7z").format)
assert_equal("GNU tar format", Danbooru::Archive.open("test/files/archive/ugoira.tar").format)
assert_equal("GNU tar format", Danbooru::Archive.open("test/files/archive/ugoira.tar.gz").format)
end
end
@@ -126,7 +127,8 @@ class DanbooruArchiveTest < ActiveSupport::TestCase
assert_equal(:zip, Danbooru::Archive.open("test/files/archive/ugoira.zip").file_ext)
assert_equal(:rar, Danbooru::Archive.open("test/files/archive/ugoira.rar").file_ext)
assert_equal(:"7z", Danbooru::Archive.open("test/files/archive/ugoira.7z").file_ext)
assert_equal(:"7z", Danbooru::Archive.open("test/files/archive/ugoira.tar.7z").file_ext)
assert_equal(:bin, Danbooru::Archive.open("test/files/archive/ugoira.tar").file_ext)
assert_equal(:bin, Danbooru::Archive.open("test/files/archive/ugoira.tar.gz").file_ext)
end
end
@@ -139,5 +141,40 @@ class DanbooruArchiveTest < ActiveSupport::TestCase
assert_match(/^-rw-rw-r-- *0 0 *1639 2014-10-05 23:31:06 000000\.jpg$/, output.tap(&:rewind).read)
end
end
should "detect directory traversal attacks" do
archive = Danbooru::Archive.open!("test/files/archive/zip-slip.zip")
assert_equal(true, archive.entries.any? { |e| e.directory_traversal? })
assert_raises(Danbooru::Archive::Error) { archive.extract! }
end
should "detect symlinks" do
archive = Danbooru::Archive.open!("test/files/archive/symlink.zip")
assert_equal(true, archive.entries.any? { |e| !e.file? && !e.directory? })
assert_raises(Danbooru::Archive::Error) { archive.extract! }
end
should "detect absolute paths" do
archive = Danbooru::Archive.open!("test/files/archive/absolute-path.7z")
assert_equal(true, archive.entries.any? { |e| e.pathname.starts_with?("/") })
assert_raises(Danbooru::Archive::Error) { archive.extract! }
end
should "detect archives with large numbers of files" do
archive = Danbooru::Archive.open!("test/files/archive/bomb-10k-files.7z")
assert_equal(true, archive.exists? { |_, count| count > 100 })
assert_equal(10_000, archive.file_count)
end
should "detect decompression bombs" do
archive = Danbooru::Archive.open!("test/files/archive/bomb-1-1G.rar")
assert_equal(1, archive.file_count)
assert_equal(1_048_576_000, archive.uncompressed_size)
end
end
end