[skip-changelog] Added tests for core extraction (#941)

Federico · web-flow · commit 1e5354b5e61f · 2020-09-15T10:24:55.000+02:00
diff --git a/test/test_core.py b/test/test_core.py
@@ -194,3 +194,12 @@ def test_core_uninstall(run_command):
     result = run_command("core list --format json")
     assert result.ok
     assert not _in(result.stdout, "arduino:avr")
+
+
+def test_core_zipslip(run_command):
+    url = "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/test_index.json"
+    assert run_command("core update-index --additional-urls={}".format(url))
+
+    # Install a core and check if malicious content has been extracted.
+    run_command("core install zipslip:x86 --additional-urls={}".format(url))
+    assert os.path.exists("/tmp/evil.txt") is False
diff --git a/test/testdata/evil.zip b/test/testdata/evil.zip
diff --git a/test/testdata/test_index.json b/test/testdata/test_index.json
@@ -49,6 +49,37 @@
             "tools": [],
             "email": "test@example.com",
             "name": "test"
+        },
+        {
+            "name": "zipslip",
+            "tools": [],
+            "email": "test@example.com",
+            "maintainer": "Arduino",
+            "help": {
+                "online": "https://github.com/Arduino/arduino-cli"
+            },
+            "websiteURL": "https://github.com/Arduino/arduino-cli",
+            "platforms": [
+                {
+                    "category": "Zipslip Test",
+                    "help": {
+                        "online": "https://github.com/Arduino/arduino-cli"
+                    },
+                    "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/evil.zip",
+                    "checksum": "SHA-256:9b85dfe23f13318efc0e541327f584a0f3674a773d46a7eb8b25f0f408d07f96",
+                    "name": "zipslip",
+                    "version": "1.0.0",
+                    "architecture": "x86",
+                    "archiveFileName": "evil.zip",
+                    "size": "2184",
+                    "toolsDependencies": [],
+                    "boards": [
+                        {
+                            "name": "Test Board"
+                        }
+                    ]
+                }
+            ]
         }
     ]
 }
