diff --git a/test/test_core.py b/test/test_core.py index ffc0ac70b30..bf33b1c0de1 100644 --- a/test/test_core.py +++ b/test/test_core.py @@ -194,3 +194,12 @@ def test_core_uninstall(run_command): result = run_command("core list --format json") assert result.ok assert not _in(result.stdout, "arduino:avr") + + +def test_core_zipslip(run_command): + url = "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/test_index.json" + assert run_command("core update-index --additional-urls={}".format(url)) + + # Install a core and check if malicious content has been extracted. + run_command("core install zipslip:x86 --additional-urls={}".format(url)) + assert os.path.exists("/tmp/evil.txt") is False diff --git a/test/testdata/evil.zip b/test/testdata/evil.zip new file mode 100644 index 00000000000..8353c005aee Binary files /dev/null and b/test/testdata/evil.zip differ diff --git a/test/testdata/test_index.json b/test/testdata/test_index.json index e79cb056a17..21c852546f8 100644 --- a/test/testdata/test_index.json +++ b/test/testdata/test_index.json @@ -49,6 +49,37 @@ "tools": [], "email": "test@example.com", "name": "test" + }, + { + "name": "zipslip", + "tools": [], + "email": "test@example.com", + "maintainer": "Arduino", + "help": { + "online": "https://github.com/Arduino/arduino-cli" + }, + "websiteURL": "https://github.com/Arduino/arduino-cli", + "platforms": [ + { + "category": "Zipslip Test", + "help": { + "online": "https://github.com/Arduino/arduino-cli" + }, + "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/evil.zip", + "checksum": "SHA-256:9b85dfe23f13318efc0e541327f584a0f3674a773d46a7eb8b25f0f408d07f96", + "name": "zipslip", + "version": "1.0.0", + "architecture": "x86", + "archiveFileName": "evil.zip", + "size": "2184", + "toolsDependencies": [], + "boards": [ + { + "name": "Test Board" + } + ] + } + ] } ] } \ No newline at end of file