1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
import os
import pytest
from py7zr import SevenZipFile
from py7zr.exceptions import Bad7zFile
from py7zr.helpers import check_archive_path, get_sanitized_output_path
from py7zr.properties import FILTER_LZMA2, PRESET_DEFAULT
testdata_path = os.path.join(os.path.dirname(__file__), "data")
@pytest.mark.misc
def test_check_archive_path():
bad_path = "../../.../../../../../../tmp/evil.sh"
assert not check_archive_path(bad_path)
@pytest.mark.misc
def test_get_sanitized_output_path_1(tmp_path):
bad_path = "../../.../../../../../../tmp/evil.sh"
with pytest.raises(Bad7zFile):
get_sanitized_output_path(bad_path, tmp_path)
@pytest.mark.misc
def test_get_sanitized_output_path_2(tmp_path):
good_path = "good.sh"
expected = tmp_path.joinpath(good_path)
assert expected == get_sanitized_output_path(good_path, tmp_path)
@pytest.mark.misc
def test_extract_path_traversal_attack(tmp_path):
my_filters = [
{"id": FILTER_LZMA2, "preset": PRESET_DEFAULT},
]
target = tmp_path.joinpath("target.7z")
from base64 import b64decode
data = """
N3q8ryccAATOVjH2nAAAAAAAAAAVAAAAAAAAABe26oXgACYAIV0AEYhCRj30FjRzCg2kNp3mcg12
I+GegsuiKVIVM4p1+AQVAOAAqgBrXQAAgTMHrg/QluR8nz9HQQQEMnr/nRksOfngonWcaGZa9yk2
MshKgENm9F8IrHzRtlxA1rG7ojA2dU0VubucO3DWfQiBaqCqtidfv5DCj8LxFZ7PbZYke+rw7nKV
bAoyU7Z/s4bc+kz6VLwXgAAXBikBCXMABwsBAAEhIQEYDICrAAA=
"""
bindata = b64decode(data)
with open(target, "wb") as archive:
archive.write(bindata)
with pytest.raises(Bad7zFile):
with SevenZipFile(target, "r") as archive:
archive.extractall(path=tmp_path)
|
