File tree Expand file tree Collapse file tree 3 files changed +40
-0
lines changed Expand file tree Collapse file tree 3 files changed +40
-0
lines changed Original file line number Diff line number Diff line change @@ -194,3 +194,12 @@ def test_core_uninstall(run_command):
194194 result = run_command ("core list --format json" )
195195 assert result .ok
196196 assert not _in (result .stdout , "arduino:avr" )
197+
198+
199+ def test_core_zipslip (run_command ):
200+ url = "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/test_index.json"
201+ assert run_command ("core update-index --additional-urls={}" .format (url ))
202+
203+ # Install a core and check if malicious content has been extracted.
204+ run_command ("core install zipslip:x86 --additional-urls={}" .format (url ))
205+ assert os .path .exists ("/tmp/evil.txt" ) is False
Original file line number Diff line number Diff line change 4949 "tools" : [],
5050 "email" : " test@example.com"
5151 "name" : " test"
52+ },
53+ {
54+ "name" : " zipslip"
55+ "tools" : [],
56+ "email" : " test@example.com"
57+ "maintainer" : " Arduino"
58+ "help" : {
59+ "online" : " https://github.com/Arduino/arduino-cli"
60+ },
61+ "websiteURL" : " https://github.com/Arduino/arduino-cli"
62+ "platforms" : [
63+ {
64+ "category" : " Zipslip Test"
65+ "help" : {
66+ "online" : " https://github.com/Arduino/arduino-cli"
67+ },
68+ "url" : " https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/evil.zip"
69+ "checksum" : " SHA-256:9b85dfe23f13318efc0e541327f584a0f3674a773d46a7eb8b25f0f408d07f96"
70+ "name" : " zipslip"
71+ "version" : " 1.0.0"
72+ "architecture" : " x86"
73+ "archiveFileName" : " evil.zip"
74+ "size" : " 2184"
75+ "toolsDependencies" : [],
76+ "boards" : [
77+ {
78+ "name" : " Test Board"
79+ }
80+ ]
81+ }
82+ ]
5283 }
5384 ]
5485}
You can’t perform that action at this time.
0 commit comments