jake/careful-downloader
1
Fork 0
mirror of https://github.com/jakejarvis/careful-downloader.git synced 2025-09-18 13:45:32 -04:00
Code Issues Releases Activity

Stricter paths to prevent traversal & remove custom tempDir option

Browse Source
This commit is contained in:
Jake Jarvis
2021-10-07 11:07:31 -04:00
parent 211ccd401d
commit 8e89d84eda
5 changed files with 45 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
test/index.js
View File

@@ -1,50 +1,63 @@
/* eslint-env mocha */
import fs from "fs-extra";
import path from "path";
import tempy from "tempy";
import { fileURLToPath } from "url";
import { expect } from "chai";
import downloader from "../index.js";
// https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c#what-do-i-use-instead-of-__dirname-and-__filename
const __dirname = path.dirname(fileURLToPath(import.meta.url));
it("verified checksum, hugo.exe was extracted", async function () {
this.timeout(30000); // increase timeout to an excessive 30 seconds for CI
const outDir = path.join(tempy.directory());
await downloader(
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_extended_0.88.1_Windows-64bit.zip",
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_0.88.1_checksums.txt",
{
destDir: outDir,
destDir: path.join(__dirname, "temp"),
algorithm: "sha256",
encoding: "binary",
extract: true,
},
);
expect(fs.existsSync(path.join(outDir, "hugo.exe"))).to.be.true;
expect(fs.existsSync(path.join(__dirname, "temp", "hugo.exe"))).to.be.true;
fs.removeSync(outDir);
// clean up
fs.removeSync(path.join(__dirname, "temp"));
});
it("incorrect checksum, not extracted", async function () {
this.timeout(30000); // increase timeout to an excessive 30 seconds for CI
const outDir = path.join(tempy.directory());
expect(async () => downloader(
// download mismatching versions to trigger error
"https://github.com/gohugoio/hugo/releases/download/v0.88.0/hugo_0.88.0_Windows-64bit.zip",
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_0.88.1_checksums.txt",
{
destDir: outDir,
destDir: path.join(__dirname, "temp"),
algorithm: "sha256",
encoding: "binary",
extract: false,
},
)).to.throw;
expect(fs.existsSync(path.join(outDir, "hugo.exe"))).to.be.false;
expect(fs.existsSync(path.join(__dirname, "temp", "hugo.exe"))).to.be.false;
fs.removeSync(outDir);
// clean up
fs.removeSync(path.join(__dirname, "temp"));
});
it("destDir located outside of module, throw error", async function () {
this.timeout(30000); // increase timeout to an excessive 30 seconds for CI
expect(async () => downloader(
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_0.88.1_Windows-64bit.zip",
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_0.88.1_checksums.txt",
{
destDir: "../vendor", // invalid path
},
)).to.throw;
});