2
0

ZipSlipVulnerabilityTest.php 1.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
  1. <?php
  2. declare(strict_types=1);
  3. /*
  4. * This file is part of the nelexa/zip package.
  5. * (c) Ne-Lexa <https://github.com/Ne-Lexa/php-zip>
  6. * For the full copyright and license information, please view the LICENSE
  7. * file that was distributed with this source code.
  8. */
  9. namespace PhpZip\Tests;
  10. use PhpZip\Exception\ZipException;
  11. use PhpZip\ZipFile;
  12. /**
  13. * Class ZipSlipVulnerabilityTest.
  14. *
  15. * @see https://github.com/Ne-Lexa/php-zip/issues/39 Issue#31
  16. * @see https://snyk.io/research/zip-slip-vulnerability Zip Slip Vulnerability
  17. *
  18. * @internal
  19. *
  20. * @small
  21. */
  22. class ZipSlipVulnerabilityTest extends ZipTestCase
  23. {
  24. /**
  25. * @throws ZipException
  26. */
  27. public function testCreateSlipVulnerabilityFile(): void
  28. {
  29. $localFile = '../dir/./../../file.txt';
  30. $zipFile = new ZipFile();
  31. $zipFile->addFromString($localFile, 'contents');
  32. static::assertContains($localFile, $zipFile->getListFiles());
  33. $zipFile->close();
  34. }
  35. /**
  36. * @throws ZipException
  37. */
  38. public function testUnpack(): void
  39. {
  40. static::assertTrue(mkdir($this->outputDirname, 0755, true));
  41. $zipFile = new ZipFile();
  42. $zipFile->addFromString('../dir/./../../file.txt', 'contents');
  43. $zipFile->extractTo($this->outputDirname);
  44. $zipFile->close();
  45. $expectedExtractedFile = $this->outputDirname . '/dir/file.txt';
  46. static::assertTrue(is_file($expectedExtractedFile));
  47. }
  48. }