github.com/projectdiscovery/nuclei/v2@v2.9.15/internal/installer/zipslip_unix_test.go (about) 1 package installer 2 3 import ( 4 "io/fs" 5 "os" 6 "path/filepath" 7 "runtime" 8 "testing" 9 "time" 10 11 "github.com/stretchr/testify/require" 12 ) 13 14 var _ fs.FileInfo = &tempFileInfo{} 15 16 type tempFileInfo struct { 17 name string 18 } 19 20 func (t *tempFileInfo) Name() string { 21 return t.name 22 } 23 24 func (t *tempFileInfo) ModTime() time.Time { 25 return time.Now() 26 } 27 28 func (t *tempFileInfo) Mode() fs.FileMode { 29 return fs.ModePerm 30 } 31 32 func (t tempFileInfo) IsDir() bool { 33 return false 34 } 35 36 func (t *tempFileInfo) Size() int64 { 37 return 100 38 } 39 40 func (t *tempFileInfo) Sys() any { 41 return nil 42 } 43 44 func TestZipSlip(t *testing.T) { 45 if runtime.GOOS == "windows" { 46 t.Skip("Skipping Unix Zip LFI Check") 47 } 48 49 configuredTemplateDirectory := filepath.Join(os.TempDir(), "templates") 50 defer os.RemoveAll(configuredTemplateDirectory) 51 52 t.Run("negative scenarios", func(t *testing.T) { 53 filePathsFromZip := []string{ 54 "./../nuclei-templates/../cve/test.yaml", 55 "nuclei-templates/../cve/test.yaml", 56 "nuclei-templates/././../cve/test.yaml", 57 "nuclei-templates/.././../cve/test.yaml", 58 "nuclei-templates/.././../cve/../test.yaml", 59 } 60 tm := TemplateManager{} 61 62 for _, filePathFromZip := range filePathsFromZip { 63 var tmp fs.FileInfo = &tempFileInfo{name: filePathFromZip} 64 writePath := tm.getAbsoluteFilePath(configuredTemplateDirectory, filePathFromZip, tmp) 65 require.Equal(t, "", writePath, filePathFromZip) 66 } 67 }) 68 }