Fix CVE-2018-1000544 symlink path traversal

Not sure if the exception is the right way to go
2018-07-01 16:45:06 -04:00 · 2018-07-01 16:45:06 -04:00 · 8e78311d67
parent 6e0d23178a
commit 8e78311d67
3 changed files with 13 additions and 0 deletions
--- a/lib/zip/entry.rb
+++ b/lib/zip/entry.rb
@ -154,6 +154,9 @@ module Zip
      elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
        puts "WARNING: skipped \"../\" path component(s) in #{@name}"
        return self
+      elsif symlink? && get_input_stream.read =~ %r{../..}
+        puts "WARNING: skipped \"#{get_input_stream.read}\" symlink path in #{@name}"
+        return self
      end

      dest_path ||= @name
--- a/test/data/symlink.zip
+++ b/test/data/symlink.zip
--- a/test/entry_test.rb
+++ b/test/entry_test.rb
@ -177,4 +177,14 @@ class ZipEntryTest < MiniTest::Test

    assert File.exist?("#{path}/tmp/file.txt")
  end
+
+  def test_entry_name_with_relative_symlink
+    assert_raises Errno::ENOENT do
+      Zip::File.open('test/data/symlink.zip') do |zip_file|
+        zip_file.each do |entry|
+          entry.extract
+        end
+      end
+    end
+  end
 end