InvalidNameException(Parent traversal in paths is not allowed) is thrown when trying to extract directory archive with RootPath
6opuc opened this issue · 2 comments
6opuc commented
Steps to reproduce
- Create archive from /some/directory using SharpZipLib: recursive, set RootPath to /some/directory
- Extact this archive using SharpZipLib
Expected behavior
Archive should be extracted
Actual behavior
InvalidNameException(Parent traversal in paths is not allowed)
Version of SharpZipLib
1.3.3
Obtained from (only keep the relevant lines)
- Package installed using NuGet
Example
using System.Text;
using ICSharpCode.SharpZipLib.GZip;
using ICSharpCode.SharpZipLib.Tar;
var directory = $"/tmp/{Guid.NewGuid()}";
Directory.CreateDirectory(directory);
File.WriteAllText($"{directory}/1.txt", "1");
var archiveFilePath = $"/tmp/{Guid.NewGuid()}.tar.gz";
using (var archiveStream = new GZipOutputStream(File.Create(archiveFilePath)))
{
using (TarArchive tarArchive = TarArchive.CreateOutputTarArchive(archiveStream, Encoding.UTF8))
{
tarArchive.RootPath = directory;
// this is workaround for another issue: tarArchive.RootPath is ignored otherwise
while (tarArchive.RootPath.StartsWith("/", StringComparison.Ordinal))
{
tarArchive.RootPath = tarArchive.RootPath.Substring(1);
}
var entry = TarEntry.CreateEntryFromFile(directory);
// ExtractContents fails without this line of code below: Parent traversal in paths is not allowed
//entry.Name += "./";
tarArchive.WriteEntry(entry, true);
}
}
using (var archiveStream = File.OpenRead(archiveFilePath))
{
using (var gzipStream = new GZipInputStream(archiveStream))
{
using (var tarArchive = TarArchive.CreateInputTarArchive(gzipStream, Encoding.UTF8))
{
tarArchive.ExtractContents($"/tmp/{Guid.NewGuid()}");
}
}
}
Console.WriteLine("Done");
piksel commented
If you want to allow path traversal, you need to explicitly allow it using ExtractContents(String, Boolean).
To log the actual internal file paths of the tar archive (on either extract and/or create), use:
tarArchive.ProgressMessageEvent += (archive, entry, message) => {
Console.WriteLine($"{entry.Name}: {message}");
}
piksel commented
I think the core of this issue was what #582 fixed. The sample above works as expected in v1.4+:
https://dotnetfiddle.net/TDSoGn