Auto merge of #4097 - nipunn1313:tarball_up2, r=Turbo87

Add a test for verify_tarball

Depends on #4096.

(Because of community/community#4477 - it doesn't render the diff against #4096 - so you have to go to commits tab to see appropriate diff).

Author: bors

src/admin/render_readmes.rs

@@ -262,13 +262,13 @@ fn find_file_by_path<R: Read>(
 }
 
 #[cfg(test)]
-mod tests {
+pub mod tests {
     use std::io::Write;
     use tar;
 
     use super::render_pkg_readme;
 
-    fn add_file<W: Write>(pkg: &mut tar::Builder<W>, path: &str, content: &[u8]) {
+    pub fn add_file<W: Write>(pkg: &mut tar::Builder<W>, path: &str, content: &[u8]) {
         let mut header = tar::Header::new_gnu();
         header.set_size(content.len() as u64);
         header.set_cksum();

src/controllers/krate/publish.rs

@@ -193,7 +193,8 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
         let mut tarball = Vec::new();
         LimitErrorReader::new(req.body(), maximums.max_upload_size).read_to_end(&mut tarball)?;
         let hex_cksum: String = Sha256::digest(&tarball).encode_hex();
-        verify_tarball(&krate, vers, &tarball, maximums.max_unpack_size)?;
+        let pkg_name = format!("{}-{}", krate.name, vers);
+        verify_tarball(&pkg_name, &tarball, maximums.max_unpack_size)?;
 
         if let Some(readme) = new_crate.readme {
             render::render_and_upload_readme(
@@ -363,12 +364,7 @@ pub fn add_dependencies(
     Ok(git_deps)
 }
 
-fn verify_tarball(
-    krate: &Crate,
-    vers: &semver::Version,
-    tarball: &[u8],
-    max_unpack: u64,
-) -> AppResult<()> {
+fn verify_tarball(pkg_name: &str, tarball: &[u8], max_unpack: u64) -> AppResult<()> {
     // All our data is currently encoded with gzip
     let decoder = GzDecoder::new(tarball);
 
@@ -378,7 +374,6 @@ fn verify_tarball(
 
     // Use this I/O object now to take a peek inside
     let mut archive = tar::Archive::new(decoder);
-    let prefix = format!("{}-{}", krate.name, vers);
     for entry in archive.entries()? {
         let entry = entry.map_err(|err| {
             err.chain(cargo_err(
@@ -391,7 +386,7 @@ fn verify_tarball(
         // upload a tarball that contains both `foo-0.1.0/` source code as well
         // as `bar-0.1.0/` source code, and this could overwrite other crates in
         // the registry!
-        if !entry.path()?.starts_with(&prefix) {
+        if !entry.path()?.starts_with(&pkg_name) {
             return Err(cargo_err("invalid tarball uploaded"));
         }
 
@@ -410,12 +405,29 @@ fn verify_tarball(
 
 #[cfg(test)]
 mod tests {
-    use super::missing_metadata_error_message;
+    use super::{missing_metadata_error_message, verify_tarball};
+    use crate::admin::render_readmes::tests::add_file;
+    use flate2::read::GzEncoder;
+    use std::io::Read;
 
     #[test]
     fn missing_metadata_error_message_test() {
         assert_eq!(missing_metadata_error_message(&["a"]), "missing or empty metadata fields: a. Please see https://doc.rust-lang.org/cargo/reference/manifest.html for how to upload metadata");
         assert_eq!(missing_metadata_error_message(&["a", "b"]), "missing or empty metadata fields: a, b. Please see https://doc.rust-lang.org/cargo/reference/manifest.html for how to upload metadata");
         assert_eq!(missing_metadata_error_message(&["a", "b", "c"]), "missing or empty metadata fields: a, b, c. Please see https://doc.rust-lang.org/cargo/reference/manifest.html for how to upload metadata");
     }
+
+    #[test]
+    fn verify_tarball_test() {
+        let mut pkg = tar::Builder::new(vec![]);
+        add_file(&mut pkg, "foo-0.0.1/.cargo_vcs_info.json", br#"{}"#);
+        let mut serialized_archive = vec![];
+        GzEncoder::new(pkg.into_inner().unwrap().as_slice(), Default::default())
+            .read_to_end(&mut serialized_archive)
+            .unwrap();
+
+        let limit = 512 * 1024 * 1024;
+        assert_ok!(verify_tarball("foo-0.0.1", &serialized_archive, limit));
+        assert_err!(verify_tarball("bar-0.0.1", &serialized_archive, limit));
+    }
 }