craft zip file for symlink testing

[coolaj86]

We need a special zip file that cannot be created with normal commandline tools. It requires crafting with an API. This should be possible with archive/zip#Writer, for example.

We want a double entry of a file - the first being a symlink such that the second will be placed in an arbitrary location:

./goodfile.txt  "hello world"         (file)
./bad/file.txt  => ../../badfile.txt  (symlink)
./bad/file.txt  "Mwa-ha-ha"           (file)
./morefile.txt  "hello world"         (file)

This should go in testdata/testarchives/evilarchives/ as double-evil.zip and double-evil.tar (if it is allowed).

See also #242 (comment)

[kross9924]

can I work on this?

[coolaj86]

@kross9924 Do it. Assigned!

[kross9924]

@coolaj86 can you please elaborate on double-evil.zip file structure.

[coolaj86]

@kross9924 Can you ask a more specific question? What about the file structure with 4 files as described above is unclear?

[kross9924]

Is this structure correct?

double-evil.zip
1.badfile.txt 2.dir
2.1 subdir
2.1.1 goodfile.txt 2.1.2 morefile.txt 2.1.3 bad
2.1.3.1 file.txt

sorry for bad indentation

[coolaj86]

File Structure in zip / tar

The point is that you can't actually create such a malicious file structure on disk:

lsd --tree .

./
├── bad/
│  └── file.txt
├── goodfile.txt
└── morefile.txt

bad/file.txt can only be either a file, or a link. It can't be both. However, zip and tar file indexes you can manipulate.

The directory structure in the zip file table should be exactly this:

filepath	type	contents	link
./goodfile.txt	file	"hello world"	N/A
./bad/file.txt	symlink	N/A	../../badfile.txt
./bad/file.txt	file	"Mwa-ha-ha"	N/A
./morefile.txt	file	"hello world"	N/A

When on Github, use Markdown

sorry for bad indentation

Use code fences and tables:

```bash
lsd --tree .
```

```txt
./
├── bad/
│  └── file.txt
├── goodfile.txt
└── morefile.txt
```

| filepath         | type    | contents        | link                |
| ---------------- | ------- | --------------: | ------------------- |
| `./goodfile.txt` | file    | `"hello world"` | N/A                 |
| `./bad/file.txt` | symlink | N/A             | `../../badfile.txt` |
| `./bad/file.txt` | file    | `"Mwa-ha-ha"`   | N/A                 |
| `./morefile.txt` | file    | `"hello world"` | N/A                 |

[coolaj86]

@kross9924 Are you still working on this?

[kross9924]

Yes I am working

[kross9924]

Opening a symlink file inside program is dereferencing it, so how can I add it in zip file?
@coolaj86 Please help

[coolaj86]

Don’t try to use real files.

Use the zip and tar writer API with byte strings and header objects.

That said, lstat does a link stat without following the link.

[kross9924]

I am unable to figure out even after reading documentation several time.

How can I insert symlink into zip/tar file using writer API ?

@coolaj86 Please help.

[coolaj86]

Check out the golang zip test: https://golang.org/src/archive/zip/writer_test.go

Search "symlink" on that page.

symlink is a file mode, just like file and directory.

[kross9924]

In tar file there is double entry of bad/file.txt
I guess that's fine.
created a pull request
Thank you.