Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit4a6ae72

Browse files
committed
Verify invulnerability to tarmageddon attack
See:https://edera.dev/stories/tarmageddon
1 parent64728e8 commit4a6ae72

File tree

2 files changed

+104
-0
lines changed

2 files changed

+104
-0
lines changed

‎test/header.js‎

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -669,3 +669,14 @@ t.test('gnutar-generated 10gb file size', t => {
669669
t.throws(()=>(h.type='Z'))
670670
t.end()
671671
})
672+
673+
t.test('tarmageddon, ensure that Header prioritizes Pax size',asynct=>{
674+
consth=newHeader({
675+
path:'file.txt',
676+
size:0,
677+
})
678+
h.encode()
679+
t.equal(h.size,0,'size is zero in raw ustar header')
680+
consthPax=newHeader(h.block,0,{size:123})
681+
t.equal(hPax.size,123,'if size is set in pax, takes priority')
682+
})

‎test/parse.js‎

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import { Minipass } from 'minipass'
88
import{Header}from'../dist/esm/header.js'
99
importEEfrom'events'
1010
import{fileURLToPath}from'url'
11+
import{Pax}from'../dist/esm/pax.js'
1112

1213
const__filename=fileURLToPath(import.meta.url)
1314
const__dirname=dirname(__filename)
@@ -995,3 +996,95 @@ t.test('warnings that are not so bad', t => {
995996
})
996997
p.end(data)
997998
})
999+
1000+
// verify that node-tar is not vulnerable to tarmageddon attack
1001+
// https://edera.dev/stories/tarmageddon
1002+
t.test('tarmageddon',t=>{
1003+
// this is the nested tarball that will be inside the archive
1004+
1005+
constnested=makeTar([
1006+
{
1007+
path:'one',
1008+
size:1,
1009+
type:'File',
1010+
},
1011+
'1',
1012+
])
1013+
1014+
// gutcheck
1015+
t.equal(nested.byteLength,1024)
1016+
1017+
// Expect this one to have 2 entries.
1018+
// First a zero-length nested.tar, then the 'one' file.
1019+
t.test('no pax, 2 entries',t=>{
1020+
constnoPax=makeTar([
1021+
{
1022+
path:'nested.tar',
1023+
size:0,
1024+
},
1025+
nested,
1026+
'',
1027+
'',
1028+
])
1029+
1030+
constexpect=[
1031+
{size:0,path:'nested.tar'},
1032+
{size:1,path:'one'},
1033+
]
1034+
1035+
constactual=[]
1036+
constp=newParser()
1037+
p.on('entry',e=>{
1038+
e.resume()
1039+
actual.push({
1040+
size:e.size,
1041+
path:e.path,
1042+
})
1043+
})
1044+
1045+
p.on('end',()=>{
1046+
t.strictSame(actual,expect)
1047+
t.end()
1048+
})
1049+
1050+
p.end(noPax)
1051+
})
1052+
1053+
t.test('with pax, 1 entry',asynct=>{
1054+
// when there is a Pax header, that size overrides the size in
1055+
// the ustar header block.
1056+
constwithPax=makeTar([
1057+
newPax({
1058+
path:'nested.tar',
1059+
// actual size of nested tarball, 1024 bytes
1060+
size:nested.byteLength
1061+
}).encode(),
1062+
{
1063+
path:'nested.tar',
1064+
// fake size, attempting to unpack tar's contents directly
1065+
size:0,
1066+
},
1067+
nested,
1068+
])
1069+
1070+
// expect a single 1024 byte file entry to be emitted
1071+
constexpect=[{size:1024,path:'nested.tar'}]
1072+
1073+
constactual=[]
1074+
constp=newParser()
1075+
p.on('entry',e=>{
1076+
actual.push({
1077+
size:e.size,
1078+
path:e.path,
1079+
})
1080+
e.resume()
1081+
})
1082+
p.on('end',()=>{
1083+
t.strictSame(actual,expect)
1084+
t.end()
1085+
})
1086+
p.end(withPax)
1087+
})
1088+
1089+
t.end()
1090+
})

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp