forked from forgejo/forgejo
Vendor Update Go Libs (#13166)
* update github.com/alecthomas/chroma v0.8.0 -> v0.8.1 * github.com/blevesearch/bleve v1.0.10 -> v1.0.12 * editorconfig-core-go v2.1.1 -> v2.3.7 * github.com/gliderlabs/ssh v0.2.2 -> v0.3.1 * migrate editorconfig.ParseBytes to Parse * github.com/shurcooL/vfsgen to 0d455de96546 * github.com/go-git/go-git/v5 v5.1.0 -> v5.2.0 * github.com/google/uuid v1.1.1 -> v1.1.2 * github.com/huandu/xstrings v1.3.0 -> v1.3.2 * github.com/klauspost/compress v1.10.11 -> v1.11.1 * github.com/markbates/goth v1.61.2 -> v1.65.0 * github.com/mattn/go-sqlite3 v1.14.0 -> v1.14.4 * github.com/mholt/archiver v3.3.0 -> v3.3.2 * github.com/microcosm-cc/bluemonday 4f7140c49acb -> v1.0.4 * github.com/minio/minio-go v7.0.4 -> v7.0.5 * github.com/olivere/elastic v7.0.9 -> v7.0.20 * github.com/urfave/cli v1.20.0 -> v1.22.4 * github.com/prometheus/client_golang v1.1.0 -> v1.8.0 * github.com/xanzy/go-gitlab v0.37.0 -> v0.38.1 * mvdan.cc/xurls v2.1.0 -> v2.2.0 Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
6543
GitHub
parent
91f2afdb54
commit
12a1f914f4
656 changed files with 52967 additions and 25229 deletions
102
vendor/github.com/mholt/archiver/v3/zip.go
generated
vendored
102
vendor/github.com/mholt/archiver/v3/zip.go
generated
vendored
|
|
@ -6,11 +6,31 @@ import (
|
|||
"compress/flate"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/dsnet/compress/bzip2"
|
||||
"github.com/klauspost/compress/zstd"
|
||||
"github.com/ulikunitz/xz"
|
||||
)
|
||||
|
||||
// ZipCompressionMethod Compression type
|
||||
type ZipCompressionMethod uint16
|
||||
|
||||
// Compression methods.
|
||||
// see https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT.
|
||||
// Note LZMA: Disabled - because 7z isn't able to unpack ZIP+LZMA ZIP+LZMA2 archives made this way - and vice versa.
|
||||
const (
|
||||
Store ZipCompressionMethod = 0
|
||||
Deflate ZipCompressionMethod = 8
|
||||
BZIP2 ZipCompressionMethod = 12
|
||||
LZMA ZipCompressionMethod = 14
|
||||
ZSTD ZipCompressionMethod = 93
|
||||
XZ ZipCompressionMethod = 95
|
||||
)
|
||||
|
||||
// Zip provides facilities for operating ZIP archives.
|
||||
|
|
@ -55,9 +75,12 @@ type Zip struct {
|
|||
// the operation will continue on remaining files.
|
||||
ContinueOnError bool
|
||||
|
||||
zw *zip.Writer
|
||||
zr *zip.Reader
|
||||
ridx int
|
||||
// Compression algorithm
|
||||
FileMethod ZipCompressionMethod
|
||||
zw *zip.Writer
|
||||
zr *zip.Reader
|
||||
ridx int
|
||||
//decinitialized bool
|
||||
}
|
||||
|
||||
// CheckExt ensures the file extension matches the format.
|
||||
|
|
@ -68,6 +91,43 @@ func (*Zip) CheckExt(filename string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// Registering a global decompressor is not reentrant and may panic
|
||||
func registerDecompressor(zr *zip.Reader) {
|
||||
// register zstd decompressor
|
||||
zr.RegisterDecompressor(uint16(ZSTD), func(r io.Reader) io.ReadCloser {
|
||||
zr, err := zstd.NewReader(r)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
return zr.IOReadCloser()
|
||||
})
|
||||
zr.RegisterDecompressor(uint16(BZIP2), func(r io.Reader) io.ReadCloser {
|
||||
bz2r, err := bzip2.NewReader(r, nil)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
return bz2r
|
||||
})
|
||||
zr.RegisterDecompressor(uint16(XZ), func(r io.Reader) io.ReadCloser {
|
||||
xr, err := xz.NewReader(r)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
return ioutil.NopCloser(xr)
|
||||
})
|
||||
}
|
||||
|
||||
// CheckPath ensures the file extension matches the format.
|
||||
func (*Zip) CheckPath(to, filename string) error {
|
||||
to, _ = filepath.Abs(to) //explicit the destination folder to prevent that 'string.HasPrefix' check can be 'bypassed' when no destination folder is supplied in input
|
||||
dest := filepath.Join(to, filename)
|
||||
//prevent path traversal attacks
|
||||
if !strings.HasPrefix(dest, to) {
|
||||
return fmt.Errorf("illegal file path: %s", filename)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Archive creates a .zip file at destination containing
|
||||
// the files listed in sources. The destination must end
|
||||
// with ".zip". File paths can be those of regular files
|
||||
|
|
@ -165,7 +225,7 @@ func (z *Zip) Unarchive(source, destination string) error {
|
|||
break
|
||||
}
|
||||
if err != nil {
|
||||
if z.ContinueOnError {
|
||||
if z.ContinueOnError || strings.Contains(err.Error(), "illegal file path") {
|
||||
log.Printf("[ERROR] Reading file in zip archive: %v", err)
|
||||
continue
|
||||
}
|
||||
|
|
@ -182,6 +242,11 @@ func (z *Zip) extractNext(to string) error {
|
|||
return err // don't wrap error; calling loop must break on io.EOF
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
errPath := z.CheckPath(to, f.Header.(zip.FileHeader).Name)
|
||||
if errPath != nil {
|
||||
return fmt.Errorf("checking path traversal attempt: %v", errPath)
|
||||
}
|
||||
return z.extractFile(f, to)
|
||||
}
|
||||
|
||||
|
|
@ -292,6 +357,20 @@ func (z *Zip) Create(out io.Writer) error {
|
|||
return flate.NewWriter(out, z.CompressionLevel)
|
||||
})
|
||||
}
|
||||
switch z.FileMethod {
|
||||
case BZIP2:
|
||||
z.zw.RegisterCompressor(uint16(BZIP2), func(out io.Writer) (io.WriteCloser, error) {
|
||||
return bzip2.NewWriter(out, &bzip2.WriterConfig{Level: z.CompressionLevel})
|
||||
})
|
||||
case ZSTD:
|
||||
z.zw.RegisterCompressor(uint16(ZSTD), func(out io.Writer) (io.WriteCloser, error) {
|
||||
return zstd.NewWriter(out)
|
||||
})
|
||||
case XZ:
|
||||
z.zw.RegisterCompressor(uint16(XZ), func(out io.Writer) (io.WriteCloser, error) {
|
||||
return xz.NewWriter(out)
|
||||
})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -320,7 +399,7 @@ func (z *Zip) Write(f File) error {
|
|||
if _, ok := compressedFormats[ext]; ok && z.SelectiveCompression {
|
||||
header.Method = zip.Store
|
||||
} else {
|
||||
header.Method = zip.Deflate
|
||||
header.Method = uint16(z.FileMethod)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -376,6 +455,7 @@ func (z *Zip) Open(in io.Reader, size int64) error {
|
|||
if err != nil {
|
||||
return fmt.Errorf("creating reader: %v", err)
|
||||
}
|
||||
registerDecompressor(z.zr)
|
||||
z.ridx = 0
|
||||
return nil
|
||||
}
|
||||
|
|
@ -432,11 +512,13 @@ func (z *Zip) Walk(archive string, walkFn WalkFunc) error {
|
|||
return fmt.Errorf("opening zip reader: %v", err)
|
||||
}
|
||||
defer zr.Close()
|
||||
|
||||
registerDecompressor(&zr.Reader)
|
||||
for _, zf := range zr.File {
|
||||
zfrc, err := zf.Open()
|
||||
if err != nil {
|
||||
zfrc.Close()
|
||||
if zfrc != nil {
|
||||
zfrc.Close()
|
||||
}
|
||||
if z.ContinueOnError {
|
||||
log.Printf("[ERROR] Opening %s: %v", zf.Name, err)
|
||||
continue
|
||||
|
|
@ -530,7 +612,9 @@ func (*Zip) Match(file io.ReadSeeker) (bool, error) {
|
|||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
defer file.Seek(currentPos, io.SeekStart)
|
||||
defer func() {
|
||||
_, _ = file.Seek(currentPos, io.SeekStart)
|
||||
}()
|
||||
|
||||
buf := make([]byte, 4)
|
||||
if n, err := file.Read(buf); err != nil || n < 4 {
|
||||
|
|
@ -547,6 +631,7 @@ func NewZip() *Zip {
|
|||
CompressionLevel: flate.DefaultCompression,
|
||||
MkdirAll: true,
|
||||
SelectiveCompression: true,
|
||||
FileMethod: Deflate,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -560,6 +645,7 @@ var (
|
|||
_ = Extractor(new(Zip))
|
||||
_ = Matcher(new(Zip))
|
||||
_ = ExtensionChecker(new(Zip))
|
||||
_ = FilenameChecker(new(Zip))
|
||||
)
|
||||
|
||||
// compressedFormats is a (non-exhaustive) set of lowercased
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue