Update test_download_and_extract.py

h3rrr · web-flow · commit 8d8d4a4fc01d · 2025-09-12T22:58:17.000+08:00
New test cases added as required

Signed-off-by: h3rrr &lt;81402797+h3rrr@users.noreply.github.com&gt;
diff --git a/tests/apps/test_download_and_extract.py b/tests/apps/test_download_and_extract.py
@@ -13,6 +13,9 @@
 
 import tempfile
 import unittest
+import os
+import zipfile
+import tarfile
 from pathlib import Path
 from urllib.error import ContentTooShortError, HTTPError
 
@@ -66,5 +69,187 @@ def test_default(self, key, file_type):
                 )
 
 
+class TestPathTraversalProtection(unittest.TestCase):
+    """Test cases for path traversal attack protection in extractall function."""
+    
+    def test_valid_zip_extraction(self):
+        """Test that valid zip files extract successfully without raising exceptions."""
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            # Create a valid zip file
+            zip_path = Path(tmp_dir) / "valid_test.zip"
+            extract_dir = Path(tmp_dir) / "extract"
+            extract_dir.mkdir()
+            
+            # Create zip with normal file structure
+            with zipfile.ZipFile(zip_path, 'w') as zf:
+                zf.writestr("normal_file.txt", "This is a normal file")
+                zf.writestr("subdir/nested_file.txt", "This is a nested file")
+                zf.writestr("another_file.json", '{"key": "value"}')
+            
+            # This should not raise any exception
+            try:
+                extractall(str(zip_path), str(extract_dir))
+                
+                # Verify files were extracted correctly
+                self.assertTrue((extract_dir / "normal_file.txt").exists())
+                self.assertTrue((extract_dir / "subdir" / "nested_file.txt").exists())
+                self.assertTrue((extract_dir / "another_file.json").exists())
+                
+                # Verify content
+                with open(extract_dir / "normal_file.txt", 'r') as f:
+                    self.assertEqual(f.read(), "This is a normal file")
+                    
+            except Exception as e:
+                self.fail(f"Valid zip extraction should not raise exception: {e}")
+    
+    def test_malicious_zip_path_traversal(self):
+        """Test that malicious zip files with path traversal attempts raise ValueError."""
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            # Create malicious zip file with path traversal
+            zip_path = Path(tmp_dir) / "malicious_test.zip"
+            extract_dir = Path(tmp_dir) / "extract"
+            extract_dir.mkdir()
+            
+            # Create zip with malicious paths
+            with zipfile.ZipFile(zip_path, 'w') as zf:
+                # Try to write outside extraction directory
+                zf.writestr("../../../etc/malicious.txt", "malicious content")
+                zf.writestr("normal_file.txt", "normal content")
+            
+            # This should raise ValueError due to path traversal detection
+            with self.assertRaises(ValueError) as context:
+                extractall(str(zip_path), str(extract_dir))
+            
+            self.assertIn("unsafe path", str(context.exception).lower())
+    
+    def test_valid_tar_extraction(self):
+        """Test that valid tar files extract successfully without raising exceptions."""
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            # Create a valid tar file
+            tar_path = Path(tmp_dir) / "valid_test.tar.gz"
+            extract_dir = Path(tmp_dir) / "extract"
+            extract_dir.mkdir()
+            
+            # Create tar with normal file structure
+            with tarfile.open(tar_path, 'w:gz') as tf:
+                # Create temporary files to add to tar
+                temp_file1 = Path(tmp_dir) / "temp1.txt"
+                temp_file1.write_text("This is a normal file")
+                tf.add(temp_file1, arcname="normal_file.txt")
+                
+                temp_file2 = Path(tmp_dir) / "temp2.txt"
+                temp_file2.write_text("This is a nested file")
+                tf.add(temp_file2, arcname="subdir/nested_file.txt")
+            
+            # This should not raise any exception
+            try:
+                extractall(str(tar_path), str(extract_dir))
+                
+                # Verify files were extracted correctly
+                self.assertTrue((extract_dir / "normal_file.txt").exists())
+                self.assertTrue((extract_dir / "subdir" / "nested_file.txt").exists())
+                
+                # Verify content
+                with open(extract_dir / "normal_file.txt", 'r') as f:
+                    self.assertEqual(f.read(), "This is a normal file")
+                    
+            except Exception as e:
+                self.fail(f"Valid tar extraction should not raise exception: {e}")
+    
+    def test_malicious_tar_path_traversal(self):
+        """Test that malicious tar files with path traversal attempts raise ValueError."""
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            # Create malicious tar file with path traversal
+            tar_path = Path(tmp_dir) / "malicious_test.tar.gz"
+            extract_dir = Path(tmp_dir) / "extract"
+            extract_dir.mkdir()
+            
+            # Create tar with malicious paths
+            with tarfile.open(tar_path, 'w:gz') as tf:
+                # Create a temporary file
+                temp_file = Path(tmp_dir) / "temp.txt"
+                temp_file.write_text("malicious content")
+                
+                # Add with malicious path (trying to write outside extraction directory)
+                tf.add(temp_file, arcname="../../../etc/malicious.txt")
+            
+            # This should raise ValueError due to path traversal detection
+            with self.assertRaises(ValueError) as context:
+                extractall(str(tar_path), str(extract_dir))
+            
+            self.assertIn("unsafe path", str(context.exception).lower())
+    
+    def test_absolute_path_protection(self):
+        """Test protection against absolute paths in archives."""
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            # Create zip with absolute path
+            zip_path = Path(tmp_dir) / "absolute_path_test.zip"
+            extract_dir = Path(tmp_dir) / "extract"
+            extract_dir.mkdir()
+            
+            with zipfile.ZipFile(zip_path, 'w') as zf:
+                # Try to use absolute path
+                zf.writestr("/etc/passwd", "malicious content")
+            
+            # This should raise ValueError due to absolute path detection
+            with self.assertRaises(ValueError) as context:
+                extractall(str(zip_path), str(extract_dir))
+            
+            self.assertIn("unsafe path", str(context.exception).lower())
+
+    def test_malicious_symlink_protection(self):  
+        """Test protection against malicious symlinks in tar archives."""  
+        with tempfile.TemporaryDirectory() as tmp_dir:  
+            # Create malicious tar file with symlink  
+            tar_path = Path(tmp_dir) / "malicious_symlink_test.tar.gz"  
+            extract_dir = Path(tmp_dir) / "extract"  
+            extract_dir.mkdir()  
+              
+            # Create tar with malicious symlink  
+            with tarfile.open(tar_path, 'w:gz') as tf:   
+                temp_file = Path(tmp_dir) / "normal.txt"  
+                temp_file.write_text("normal content")  
+                tf.add(temp_file, arcname="normal.txt")  
+                   
+                symlink_info = tarfile.TarInfo(name="malicious_symlink.txt")  
+                symlink_info.type = tarfile.SYMTYPE  
+                symlink_info.linkname = "../../../etc/passwd"  
+                symlink_info.size = 0  
+                tf.addfile(symlink_info)  
+              
+            with self.assertRaises(ValueError) as context:  
+                extractall(str(tar_path), str(extract_dir))  
+              
+            error_msg = str(context.exception).lower()
+            self.assertTrue("unsafe path" in error_msg or "symlink" in error_msg)
+      
+    def test_malicious_hardlink_protection(self):  
+        """Test protection against malicious hard links in tar archives."""  
+        with tempfile.TemporaryDirectory() as tmp_dir:  
+            # Create malicious tar file with hard link  
+            tar_path = Path(tmp_dir) / "malicious_hardlink_test.tar.gz"  
+            extract_dir = Path(tmp_dir) / "extract"  
+            extract_dir.mkdir()  
+              
+            # Create tar with malicious hard link  
+            with tarfile.open(tar_path, 'w:gz') as tf:    
+                temp_file = Path(tmp_dir) / "normal.txt"  
+                temp_file.write_text("normal content")  
+                tf.add(temp_file, arcname="normal.txt")  
+                   
+                hardlink_info = tarfile.TarInfo(name="malicious_hardlink.txt")  
+                hardlink_info.type = tarfile.LNKTYPE  
+                hardlink_info.linkname = "/etc/passwd"  
+                hardlink_info.size = 0  
+                tf.addfile(hardlink_info)  
+                
+            with self.assertRaises(ValueError) as context:  
+                extractall(str(tar_path), str(extract_dir))  
+              
+            error_msg = str(context.exception).lower()
+            self.assertTrue("unsafe path" in error_msg or "hardlink" in error_msg)
+
+
+
 if __name__ == "__main__":
     unittest.main()
