Vendor Update Go Libs (#13444)

* denisenkom/go-mssqldb untagged -> v0.9.0 * github.com/editorconfig/editorconfig-core-go v2.3.7 -> v2.3.8 * github.com/go-testfixtures/testfixtures v3.4.0 -> v3.4.1 * github.com/mholt/archiver v3.3.2 -> v3.5.0 * github.com/olivere/elastic v7.0.20 -> v7.0.21 * github.com/urfave/cli v1.22.4 -> v1.22.5 * github.com/xanzy/go-gitlab v0.38.1 -> v0.39.0 * github.com/yuin/goldmark-meta untagged -> v1.0.0 * github.com/ethantkoenig/rupture 0a76f03a811a -> c3b3b810dc77 * github.com/jaytaylor/html2text 8fb95d837f7d -> 3577fbdbcff7 * github.com/kballard/go-shellquote cd60e84ee657 -> 95032a82bc51 * github.com/msteinert/pam 02ccfbfaf0cc -> 913b8f8cdf8b * github.com/unknwon/paginater 7748a72e0141 -> 042474bd0eae * CI.restart() Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-06 19:41:42 +01:00 · 2020-11-06 19:41:42 +01:00 · 30ce3731a1
commit 30ce3731a1
parent eebaa81f43
184 changed files with 12387 additions and 2975 deletions
--- a/vendor/github.com/mholt/archiver/v3/zip.go
+++ b/vendor/github.com/mholt/archiver/v3/zip.go
@ -70,6 +70,10 @@ type Zip struct {
 	// especially on extraction.
 	ImplicitTopLevelFolder bool

+	// Strip number of leading paths. This feature is available
+	// only during unpacking of the entire archive.
+	StripComponents int
+
 	// If true, errors encountered during reading
 	// or writing a single file will be logged and
 	// the operation will continue on remaining files.
@ -123,7 +127,7 @@ func (*Zip) CheckPath(to, filename string) error {
 	dest := filepath.Join(to, filename)
 	//prevent path traversal attacks
 	if !strings.HasPrefix(dest, to) {
-		return fmt.Errorf("illegal file path: %s", filename)
+		return &IllegalPathError{AbsolutePath: dest, Filename: filename}
 	}
 	return nil
 }
@ -225,7 +229,7 @@ func (z *Zip) Unarchive(source, destination string) error {
 			break
 		}
 		if err != nil {
-			if z.ContinueOnError || strings.Contains(err.Error(), "illegal file path") {
+			if z.ContinueOnError || IsIllegalPathError(err) {
 				log.Printf("[ERROR] Reading file in zip archive: %v", err)
 				continue
 			}
@ -243,19 +247,30 @@ func (z *Zip) extractNext(to string) error {
 	}
 	defer f.Close()

-	errPath := z.CheckPath(to, f.Header.(zip.FileHeader).Name)
-	if errPath != nil {
-		return fmt.Errorf("checking path traversal attempt: %v", errPath)
-	}
-	return z.extractFile(f, to)
-}
-
-func (z *Zip) extractFile(f File, to string) error {
 	header, ok := f.Header.(zip.FileHeader)
 	if !ok {
 		return fmt.Errorf("expected header to be zip.FileHeader but was %T", f.Header)
 	}

+	errPath := z.CheckPath(to, header.Name)
+	if errPath != nil {
+		return fmt.Errorf("checking path traversal attempt: %v", errPath)
+	}
+
+	if z.StripComponents > 0 {
+		if strings.Count(header.Name, "/") < z.StripComponents {
+			return nil // skip path with fewer components
+		}
+
+		for i := 0; i < z.StripComponents; i++ {
+			slash := strings.Index(header.Name, "/")
+			header.Name = header.Name[slash+1:]
+		}
+	}
+	return z.extractFile(f, to, &header)
+}
+
+func (z *Zip) extractFile(f File, to string, header *zip.FileHeader) error {
 	to = filepath.Join(to, header.Name)

 	// if a directory, no content; simply make the directory and return
@ -583,7 +598,7 @@ func (z *Zip) Extract(source, target, destination string) error {
 			}
 			joined := filepath.Join(destination, end)

-			err = z.extractFile(f, joined)
+			err = z.extractFile(f, joined, &zfh)
 			if err != nil {
 				return fmt.Errorf("extracting file %s: %v", zfh.Name, err)
 			}