icsharpcode/SharpZipLib

InvalidNameException(Parent traversal in paths is not allowed) is thrown when trying to extract directory archive with RootPath

6opuc opened this issue · 2 comments

6opuc commented

Steps to reproduce

  1. Create archive from /some/directory using SharpZipLib: recursive, set RootPath to /some/directory
  2. Extact this archive using SharpZipLib

Expected behavior

Archive should be extracted

Actual behavior

InvalidNameException(Parent traversal in paths is not allowed)

Version of SharpZipLib

1.3.3

Obtained from (only keep the relevant lines)

  • Package installed using NuGet

Example

using System.Text;
using ICSharpCode.SharpZipLib.GZip;
using ICSharpCode.SharpZipLib.Tar;

var directory = $"/tmp/{Guid.NewGuid()}";
Directory.CreateDirectory(directory);
File.WriteAllText($"{directory}/1.txt", "1");

var archiveFilePath = $"/tmp/{Guid.NewGuid()}.tar.gz";

using (var archiveStream = new GZipOutputStream(File.Create(archiveFilePath)))
{
    using (TarArchive tarArchive = TarArchive.CreateOutputTarArchive(archiveStream, Encoding.UTF8))
    {
        tarArchive.RootPath = directory;
        // this is workaround for another issue: tarArchive.RootPath is ignored otherwise
        while (tarArchive.RootPath.StartsWith("/", StringComparison.Ordinal))
        {
            tarArchive.RootPath = tarArchive.RootPath.Substring(1);
        }
        var entry = TarEntry.CreateEntryFromFile(directory);
        // ExtractContents fails without this line of code below:  Parent traversal in paths is not allowed
        //entry.Name += "./";
        tarArchive.WriteEntry(entry, true);
    }
}

using (var archiveStream = File.OpenRead(archiveFilePath))
{
    using (var gzipStream = new GZipInputStream(archiveStream))
    {
        using (var tarArchive = TarArchive.CreateInputTarArchive(gzipStream, Encoding.UTF8))
        {
            tarArchive.ExtractContents($"/tmp/{Guid.NewGuid()}");
        }
    }
}

Console.WriteLine("Done");
piksel commented

If you want to allow path traversal, you need to explicitly allow it using ExtractContents(String, Boolean).

To log the actual internal file paths of the tar archive (on either extract and/or create), use:

tarArchive.ProgressMessageEvent += (archive, entry, message) => {
	Console.WriteLine($"{entry.Name}: {message}");
}
piksel commented

I think the core of this issue was what #582 fixed. The sample above works as expected in v1.4+:
https://dotnetfiddle.net/TDSoGn