SECURITY: Safely decompress files. (#8124)

* FEATURE: Adds an extra protection layer when decompressing files. * Rename exporter/importer to zip importer. Update old locale * Added a new composite class to decompress a file with multiple strategies * Set max file size inside a site setting * Ensure that file is deleted after compression * Sanitize path and files before compressing/decompressing
2025-05-22 22:43:33 +08:00 · 2019-10-03 10:19:35 -03:00
parent aaf15944f8
commit 10565e4623
20 changed files with 466 additions and 101 deletions
--- a/lib/compression/tar.rb
+++ b/lib/compression/tar.rb
@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rubygems/package'
+
+module Compression
+  class Tar < Strategy
+    def extension
+      '.tar'
+    end
+
+    def compress(path, target_name)
+      tar_filename = sanitize_filename("#{target_name}.tar")
+      Discourse::Utils.execute_command('tar', '--create', '--file', tar_filename, target_name, failure_message: "Failed to tar file.")
+
+      sanitize_path("#{path}/#{tar_filename}")
+    end
+
+    private
+
+    def extract_folder(_entry, _entry_path); end
+
+    def get_compressed_file_stream(compressed_file_path)
+      file_stream = IO.new(IO.sysopen(compressed_file_path))
+      tar_extract = Gem::Package::TarReader.new(file_stream)
+      tar_extract.rewind
+      yield(tar_extract)
+    end
+
+    def build_entry_path(_compressed_file, dest_path, compressed_file_path, entry, _allow_non_root_folder)
+      File.join(dest_path, entry.full_name).tap do |entry_path|
+        FileUtils.mkdir_p(File.dirname(entry_path))
+      end
+    end
+  end
+end