Skip to content

Commit f76943f

Browse files
committed
Auto merge of #4097 - nipunn1313:tarball_up2, r=Turbo87
Add a test for verify_tarball Depends on #4096. (Because of community/community#4477 - it doesn't render the diff against #4096 - so you have to go to commits tab to see appropriate diff).
2 parents fd1ab6a + b25ad21 commit f76943f

File tree

2 files changed

+24
-12
lines changed

2 files changed

+24
-12
lines changed

src/admin/render_readmes.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -262,13 +262,13 @@ fn find_file_by_path<R: Read>(
262262
}
263263

264264
#[cfg(test)]
265-
mod tests {
265+
pub mod tests {
266266
use std::io::Write;
267267
use tar;
268268

269269
use super::render_pkg_readme;
270270

271-
fn add_file<W: Write>(pkg: &mut tar::Builder<W>, path: &str, content: &[u8]) {
271+
pub fn add_file<W: Write>(pkg: &mut tar::Builder<W>, path: &str, content: &[u8]) {
272272
let mut header = tar::Header::new_gnu();
273273
header.set_size(content.len() as u64);
274274
header.set_cksum();

src/controllers/krate/publish.rs

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -193,7 +193,8 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
193193
let mut tarball = Vec::new();
194194
LimitErrorReader::new(req.body(), maximums.max_upload_size).read_to_end(&mut tarball)?;
195195
let hex_cksum: String = Sha256::digest(&tarball).encode_hex();
196-
verify_tarball(&krate, vers, &tarball, maximums.max_unpack_size)?;
196+
let pkg_name = format!("{}-{}", krate.name, vers);
197+
verify_tarball(&pkg_name, &tarball, maximums.max_unpack_size)?;
197198

198199
if let Some(readme) = new_crate.readme {
199200
render::render_and_upload_readme(
@@ -363,12 +364,7 @@ pub fn add_dependencies(
363364
Ok(git_deps)
364365
}
365366

366-
fn verify_tarball(
367-
krate: &Crate,
368-
vers: &semver::Version,
369-
tarball: &[u8],
370-
max_unpack: u64,
371-
) -> AppResult<()> {
367+
fn verify_tarball(pkg_name: &str, tarball: &[u8], max_unpack: u64) -> AppResult<()> {
372368
// All our data is currently encoded with gzip
373369
let decoder = GzDecoder::new(tarball);
374370

@@ -378,7 +374,6 @@ fn verify_tarball(
378374

379375
// Use this I/O object now to take a peek inside
380376
let mut archive = tar::Archive::new(decoder);
381-
let prefix = format!("{}-{}", krate.name, vers);
382377
for entry in archive.entries()? {
383378
let entry = entry.map_err(|err| {
384379
err.chain(cargo_err(
@@ -391,7 +386,7 @@ fn verify_tarball(
391386
// upload a tarball that contains both `foo-0.1.0/` source code as well
392387
// as `bar-0.1.0/` source code, and this could overwrite other crates in
393388
// the registry!
394-
if !entry.path()?.starts_with(&prefix) {
389+
if !entry.path()?.starts_with(&pkg_name) {
395390
return Err(cargo_err("invalid tarball uploaded"));
396391
}
397392

@@ -410,12 +405,29 @@ fn verify_tarball(
410405

411406
#[cfg(test)]
412407
mod tests {
413-
use super::missing_metadata_error_message;
408+
use super::{missing_metadata_error_message, verify_tarball};
409+
use crate::admin::render_readmes::tests::add_file;
410+
use flate2::read::GzEncoder;
411+
use std::io::Read;
414412

415413
#[test]
416414
fn missing_metadata_error_message_test() {
417415
assert_eq!(missing_metadata_error_message(&["a"]), "missing or empty metadata fields: a. Please see https://doc.rust-lang.org/cargo/reference/manifest.html for how to upload metadata");
418416
assert_eq!(missing_metadata_error_message(&["a", "b"]), "missing or empty metadata fields: a, b. Please see https://doc.rust-lang.org/cargo/reference/manifest.html for how to upload metadata");
419417
assert_eq!(missing_metadata_error_message(&["a", "b", "c"]), "missing or empty metadata fields: a, b, c. Please see https://doc.rust-lang.org/cargo/reference/manifest.html for how to upload metadata");
420418
}
419+
420+
#[test]
421+
fn verify_tarball_test() {
422+
let mut pkg = tar::Builder::new(vec![]);
423+
add_file(&mut pkg, "foo-0.0.1/.cargo_vcs_info.json", br#"{}"#);
424+
let mut serialized_archive = vec![];
425+
GzEncoder::new(pkg.into_inner().unwrap().as_slice(), Default::default())
426+
.read_to_end(&mut serialized_archive)
427+
.unwrap();
428+
429+
let limit = 512 * 1024 * 1024;
430+
assert_ok!(verify_tarball("foo-0.0.1", &serialized_archive, limit));
431+
assert_err!(verify_tarball("bar-0.0.1", &serialized_archive, limit));
432+
}
421433
}

0 commit comments

Comments
 (0)