Remove bomb.zip test file

This file was useful to verify the zip bomb protections worked properly against a real "zip bomb", but is not required to verify out mitigations works in our tests. Including a real zip bomb lead to confusion and reports of anti-virus causing issues for users.
hashicorp · Mar 10, 2023 · 32cd097 · 32cd097
1 parent 0edab85
commit 32cd097
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 14 deletions.
diff --git a/decompress_zip_test.go b/decompress_zip_test.go
@@ -1,6 +1,10 @@
 package getter
 
 import (
+	"archive/zip"
+	"bytes"
+	"io/ioutil"
+	"log"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -132,23 +136,67 @@ func TestDecompressZipPermissions(t *testing.T) {
 }
 
 func TestDecompressZipBomb(t *testing.T) {
-	// If the zip decompression bomb protection fails, this can fill up disk space on the entire
-	// computer.
-	if os.Getenv("GO_GETTER_TEST_ZIP_BOMB") != "true" {
-		t.Skip("skipping potentially dangerous test without GO_GETTER_TEST_ZIP_BOMB=true")
+	buf := new(bytes.Buffer)
+
+	// Create a zip file inline, written to the buffer.
+	{
+		w := zip.NewWriter(buf)
+
+		var files = []struct {
+			Name, Body string
+		}{
+			{"readme.txt", "This archive contains some text files."},
+			{"gopher.txt", "Gopher names:\nGeorge\nGeoffrey\nGonzo"},
+			{"todo.txt", "Get animal handling licence.\nWrite more examples."},
+		}
+		for _, file := range files {
+			f, err := w.Create(file.Name)
+			if err != nil {
+				t.Fatal(err)
+			}
+			_, err = f.Write([]byte(file.Body))
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+
+		err := w.Close()
+		if err != nil {
+			log.Fatal(err)
+		}
 	}
 
-	// https://www.bamsoftware.com/hacks/zipbomb/zblg.zip
-	srcPath := filepath.Join("./testdata", "decompress-zip", "bomb.zip")
+	td, err := ioutil.TempDir("", "go-getter-zip")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
 
-	d := new(ZipDecompressor)
-	d.FileSizeLimit = 512
+	zipFilePath := filepath.Join(td, "input.zip")
 
-	err := d.Decompress(t.TempDir(), srcPath, true, 0644)
-	if err == nil {
-		t.FailNow()
-	}
-	if !strings.Contains(err.Error(), "zip archive larger than limit: 512") {
-		t.Fatalf("unexpected error: %q", err.Error())
+	err = os.WriteFile(zipFilePath, buf.Bytes(), 0666)
+	if err != nil {
+		t.Fatalf("err: %s", err)
 	}
+
+	t.Run("error with limit", func(t *testing.T) {
+		d := new(ZipDecompressor)
+		d.FileSizeLimit = 7 // bytes
+
+		err = d.Decompress(t.TempDir(), zipFilePath, true, 0644)
+		if err == nil {
+			t.FailNow()
+		}
+		if !strings.Contains(err.Error(), "zip archive larger than limit: 7") {
+			t.Fatalf("unexpected error: %q", err.Error())
+		}
+	})
+
+	t.Run("no error without limit", func(t *testing.T) {
+		d := new(ZipDecompressor)
+
+		err = d.Decompress(t.TempDir(), zipFilePath, true, 0644)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+	})
 }
diff --git a/testdata/decompress-zip/bomb.zip b/testdata/decompress-zip/bomb.zip