Vendor Update Go Libs (#13444)

* denisenkom/go-mssqldb untagged -> v0.9.0 * github.com/editorconfig/editorconfig-core-go v2.3.7 -> v2.3.8 * github.com/go-testfixtures/testfixtures v3.4.0 -> v3.4.1 * github.com/mholt/archiver v3.3.2 -> v3.5.0 * github.com/olivere/elastic v7.0.20 -> v7.0.21 * github.com/urfave/cli v1.22.4 -> v1.22.5 * github.com/xanzy/go-gitlab v0.38.1 -> v0.39.0 * github.com/yuin/goldmark-meta untagged -> v1.0.0 * github.com/ethantkoenig/rupture 0a76f03a811a -> c3b3b810dc77 * github.com/jaytaylor/html2text 8fb95d837f7d -> 3577fbdbcff7 * github.com/kballard/go-shellquote cd60e84ee657 -> 95032a82bc51 * github.com/msteinert/pam 02ccfbfaf0cc -> 913b8f8cdf8b * github.com/unknwon/paginater 7748a72e0141 -> 042474bd0eae * CI.restart() Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-06 19:41:42 +01:00 · 2020-11-06 19:41:42 +01:00 · 30ce3731a1
commit 30ce3731a1
parent eebaa81f43
184 changed files with 12387 additions and 2975 deletions
--- a/vendor/github.com/mholt/archiver/v3/tar.go
+++ b/vendor/github.com/mholt/archiver/v3/tar.go
@ -40,6 +40,10 @@ type Tar struct {
 	// especially on extraction.
 	ImplicitTopLevelFolder bool

+	// Strip number of leading paths. This feature is available
+	// only during unpacking of the entire archive.
+	StripComponents int
+
 	// If true, errors encountered during reading
 	// or writing a single file will be logged and
 	// the operation will continue on remaining files.
@ -67,7 +71,7 @@ func (*Tar) CheckPath(to, filename string) error {
 	dest := filepath.Join(to, filename)
 	//prevent path traversal attacks
 	if !strings.HasPrefix(dest, to) {
-		return fmt.Errorf("illegal file path: %s", filename)
+		return &IllegalPathError{AbsolutePath: dest, Filename: filename}
 	}
 	return nil
 }
@ -161,7 +165,7 @@ func (t *Tar) Unarchive(source, destination string) error {
 			break
 		}
 		if err != nil {
-			if t.ContinueOnError || strings.Contains(err.Error(), "illegal file path") {
+			if t.ContinueOnError || IsIllegalPathError(err) {
 				log.Printf("[ERROR] Reading file in tar archive: %v", err)
 				continue
 			}
@ -233,6 +237,17 @@ func (t *Tar) untarNext(destination string) error {
 	if errPath != nil {
 		return fmt.Errorf("checking path traversal attempt: %v", errPath)
 	}
+
+	if t.StripComponents > 0 {
+		if strings.Count(header.Name, "/") < t.StripComponents {
+			return nil // skip path with fewer components
+		}
+
+		for i := 0; i < t.StripComponents; i++ {
+			slash := strings.Index(header.Name, "/")
+			header.Name = header.Name[slash+1:]
+		}
+	}
 	return t.untarFile(f, destination, header)
 }