mirror of
https://github.com/macvim-dev/macvim.git
synced 2026-02-05 11:33:15 +01:00
586294a041
Problem: [security]: path traversal issue in zip.vim (@ax)
Solution: drop leading ../ on write of zipfiles, don't forcefully
overwrite existing files
A zip plugin which contains filenames with leading '../' may cause
confusion as to where the content will be extracted. Let's drop such
things and make sure we use a relative filename instead and don't
forcefully overwrite temporary files. Also, warn the user of such
things.
related: #17733
Signed-off-by: Christian Brabandt <cb@256bit.org>
277 lines
5.9 KiB
VimL
277 lines
5.9 KiB
VimL
vim9script
|
|
|
|
CheckExecutable unzip
|
|
|
|
if 0 # Find uncovered line
|
|
profile start zip_profile
|
|
profile! file */zip*.vim
|
|
endif
|
|
|
|
runtime plugin/zipPlugin.vim
|
|
|
|
def CopyZipFile(source: string)
|
|
if !filecopy($"samples/{source}", "X.zip")
|
|
assert_report($"Can't copy samples/{source}.zip")
|
|
endif
|
|
enddef
|
|
|
|
def g:Test_zip_basic()
|
|
CopyZipFile("test.zip")
|
|
defer delete("X.zip")
|
|
e X.zip
|
|
|
|
### Check header
|
|
assert_match('^" zip\.vim version v\d\+', getline(1))
|
|
assert_match('^" Browsing zipfile .*/X.zip', getline(2))
|
|
assert_match('^" Select a file with cursor and press ENTER', getline(3))
|
|
assert_match('^$', getline(4))
|
|
|
|
### Check files listing
|
|
assert_equal(["Xzip/", "Xzip/dir/", "Xzip/file.txt"], getline(5, 7))
|
|
|
|
### Check ENTER on header
|
|
:1
|
|
exe ":normal \<cr>"
|
|
assert_equal("X.zip", @%)
|
|
|
|
### Check ENTER on directory
|
|
:1|:/^$//dir/
|
|
assert_match('Please specify a file, not a directory',
|
|
execute("normal \<CR>"))
|
|
|
|
### Check ENTER on file
|
|
:1
|
|
search('file.txt')
|
|
exe ":normal \<cr>"
|
|
assert_match('zipfile://.*/X.zip::Xzip/file.txt', @%)
|
|
assert_equal('one', getline(1))
|
|
|
|
### Check editing file
|
|
if executable("zip")
|
|
s/one/two/
|
|
assert_equal("two", getline(1))
|
|
w
|
|
bw|bw
|
|
e X.zip
|
|
|
|
:1|:/^$//file/
|
|
exe "normal \<cr>"
|
|
assert_equal("two", getline(1))
|
|
endif
|
|
|
|
only
|
|
e X.zip
|
|
|
|
### Check extracting file
|
|
:1|:/^$//file/
|
|
normal x
|
|
assert_true(filereadable("Xzip/file.txt"))
|
|
|
|
## Check not overwriting existing file
|
|
assert_match('<Xzip/file.txt> .* not overwriting!', execute("normal x"))
|
|
|
|
delete("Xzip", "rf")
|
|
|
|
### Check extracting directory
|
|
:1|:/^$//dir/
|
|
assert_match('Please specify a file, not a directory', execute("normal x"))
|
|
assert_equal("X.zip", @%)
|
|
|
|
### Check "x" on header
|
|
:1
|
|
normal x
|
|
assert_equal("X.zip", @%)
|
|
bw
|
|
|
|
### Check opening zip when "unzip" program is missing
|
|
var save_zip_unzipcmd = g:zip_unzipcmd
|
|
g:zip_unzipcmd = "/"
|
|
assert_match('unzip not available on your system', execute("e X.zip"))
|
|
|
|
### Check when "unzip" don't work
|
|
if executable("false")
|
|
g:zip_unzipcmd = "false"
|
|
assert_match('X\.zip is not a zip file', execute("e X.zip"))
|
|
endif
|
|
bw
|
|
|
|
g:zip_unzipcmd = save_zip_unzipcmd
|
|
e X.zip
|
|
|
|
### Check opening file when "unzip" is missing
|
|
g:zip_unzipcmd = "/"
|
|
assert_match('sorry, your system doesn''t appear to have the / program',
|
|
execute("normal \<CR>"))
|
|
|
|
bw|bw
|
|
g:zip_unzipcmd = save_zip_unzipcmd
|
|
e X.zip
|
|
|
|
### Check :write when "zip" program is missing
|
|
:1|:/^$//file/
|
|
exe "normal \<cr>Goanother\<esc>"
|
|
var save_zip_zipcmd = g:zip_zipcmd
|
|
g:zip_zipcmd = "/"
|
|
assert_match('sorry, your system doesn''t appear to have the / program',
|
|
execute("write"))
|
|
|
|
### Check when "zip" report failure
|
|
if executable("false")
|
|
g:zip_zipcmd = "false"
|
|
assert_match('sorry, unable to update .*/X.zip with Xzip/file.txt',
|
|
execute("write"))
|
|
endif
|
|
bw!|bw
|
|
|
|
g:zip_zipcmd = save_zip_zipcmd
|
|
|
|
### Check opening an no zipfile
|
|
writefile(["qsdf"], "Xcorupt.zip", "D")
|
|
e! Xcorupt.zip
|
|
assert_equal("qsdf", getline(1))
|
|
|
|
bw
|
|
|
|
### Check no existing zipfile
|
|
assert_match('File not readable', execute("e Xnot_exists.zip"))
|
|
|
|
bw
|
|
enddef
|
|
|
|
def g:Test_zip_glob_fname()
|
|
CheckNotMSWindows
|
|
# does not work on Windows, why?
|
|
|
|
CopyZipFile("testa.zip")
|
|
defer delete("X.zip")
|
|
defer delete('zipglob', 'rf')
|
|
|
|
e X.zip
|
|
|
|
### 1) Check extracting strange files
|
|
:1
|
|
var fname = 'a[a].txt'
|
|
search('\V' .. fname)
|
|
normal x
|
|
assert_true(filereadable('zipglob/' .. fname))
|
|
delete('zipglob', 'rf')
|
|
|
|
:1
|
|
fname = 'a*.txt'
|
|
search('\V' .. fname)
|
|
normal x
|
|
assert_true(filereadable('zipglob/' .. fname))
|
|
delete('zipglob', 'rf')
|
|
|
|
:1
|
|
fname = 'a?.txt'
|
|
search('\V' .. fname)
|
|
normal x
|
|
assert_true(filereadable('zipglob/' .. fname))
|
|
delete('zipglob', 'rf')
|
|
|
|
:1
|
|
fname = 'a\.txt'
|
|
search('\V' .. escape(fname, '\\'))
|
|
normal x
|
|
assert_true(filereadable('zipglob/' .. fname))
|
|
delete('zipglob', 'rf')
|
|
|
|
:1
|
|
fname = 'a\\.txt'
|
|
search('\V' .. escape(fname, '\\'))
|
|
normal x
|
|
assert_true(filereadable('zipglob/' .. fname))
|
|
delete('zipglob', 'rf')
|
|
|
|
### 2) Check entering strange file names
|
|
:1
|
|
fname = 'a[a].txt'
|
|
search('\V' .. fname)
|
|
exe ":normal \<cr>"
|
|
assert_match('zipfile://.*/X.zip::zipglob/a\[a\].txt', @%)
|
|
assert_equal('a test file with []', getline(1))
|
|
bw
|
|
|
|
e X.zip
|
|
:1
|
|
fname = 'a*.txt'
|
|
search('\V' .. fname)
|
|
exe ":normal \<cr>"
|
|
assert_match('zipfile://.*/X.zip::zipglob/a\*.txt', @%)
|
|
assert_equal('a test file with a*', getline(1))
|
|
bw
|
|
|
|
e X.zip
|
|
:1
|
|
fname = 'a?.txt'
|
|
search('\V' .. fname)
|
|
exe ":normal \<cr>"
|
|
assert_match('zipfile://.*/X.zip::zipglob/a?.txt', @%)
|
|
assert_equal('a test file with a?', getline(1))
|
|
bw
|
|
|
|
e X.zip
|
|
:1
|
|
fname = 'a\.txt'
|
|
search('\V' .. escape(fname, '\\'))
|
|
exe ":normal \<cr>"
|
|
assert_match('zipfile://.*/X.zip::zipglob/a\\.txt', @%)
|
|
assert_equal('a test file with a\', getline(1))
|
|
bw
|
|
|
|
e X.zip
|
|
:1
|
|
fname = 'a\\.txt'
|
|
search('\V' .. escape(fname, '\\'))
|
|
exe ":normal \<cr>"
|
|
assert_match('zipfile://.*/X.zip::zipglob/a\\\\.txt', @%)
|
|
assert_equal('a test file with a double \', getline(1))
|
|
bw
|
|
|
|
bw
|
|
enddef
|
|
|
|
def g:Test_zip_fname_leading_hyphen()
|
|
CheckNotMSWindows
|
|
|
|
### copy sample zip file
|
|
CopyZipFile("poc.zip")
|
|
defer delete("X.zip")
|
|
defer delete('-d', 'rf')
|
|
defer delete('/tmp/pwned', 'rf')
|
|
|
|
e X.zip
|
|
|
|
:1
|
|
var fname = '-d/tmp'
|
|
search('\V' .. fname)
|
|
normal x
|
|
assert_true(filereadable('-d/tmp'))
|
|
assert_false(filereadable('/tmp/pwned'))
|
|
bw
|
|
enddef
|
|
|
|
def g:Test_zip_fname_evil_path()
|
|
CheckNotMSWindows
|
|
# needed for writing the zip file
|
|
CheckExecutable zip
|
|
|
|
CopyZipFile("evil.zip")
|
|
defer delete("X.zip")
|
|
e X.zip
|
|
|
|
:1
|
|
var fname = 'pwn'
|
|
search('\V' .. fname)
|
|
normal x
|
|
assert_false(filereadable('/etc/ax-pwn'))
|
|
var mess = execute(':mess')
|
|
assert_match('Path Traversal Attack', mess)
|
|
|
|
exe ":normal \<cr>"
|
|
:w
|
|
assert_match('zipfile://.*::etc/ax-pwn', @%)
|
|
bw
|
|
enddef
|