CodeMirror/ShareX
1
0
Fork 0
mirror of https://github.com/ShareX/ShareX.git synced 2024-06-28 19:20:27 +12:00
Code Issues Packages Projects Releases Wiki Activity

Restrict extraction of image effect packages to 20mb to prevent zip bomb attacks

Browse source
This commit is contained in:
Jaex 2020-06-27 01:04:43 +03:00
parent 706075a148
commit 7df4ad672f
4 changed files with 116 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
ShareX.HelpersLib/MaxLengthStream.cs Normal file
View file

@ -0,0 +1,78 @@
#region License Information (GPL v3)
/*
ShareX - A program that allows you to take screenshots and share any file type
Copyright (c) 2007-2020 ShareX Team
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Optionally you can also view the license at <http://www.gnu.org/licenses/>.
*/
#endregion License Information (GPL v3)
using System;
using System.IO;
namespace ShareX.HelpersLib
{
internal sealed class MaxLengthStream : Stream
{
private readonly Stream stream;
private long length = 0L;
public MaxLengthStream(Stream stream, long maxLength)
{
this.stream = stream ?? throw new ArgumentNullException(nameof(stream));
MaxLength = maxLength;
}
public long MaxLength { get; }
public override bool CanRead => stream.CanRead;
public override bool CanSeek => false;
public override bool CanWrite => false;
public override long Length => stream.Length;
public override long Position
{
get => stream.Position;
set => throw new NotSupportedException();
}
public override int Read(byte[] buffer, int offset, int count)
{
int result = stream.Read(buffer, offset, count);
length += result;
if (length > MaxLength)
{
throw new Exception("Stream is larger than the maximum allowed size.");
}
return result;
}
public override void Flush() => throw new NotSupportedException();
public override long Seek(long offset, SeekOrigin origin) => throw new NotSupportedException();
public override void SetLength(long value) => throw new NotSupportedException();
public override void Write(byte[] buffer, int offset, int count) => throw new NotSupportedException();
protected override void Dispose(bool disposing)
{
stream.Dispose();
base.Dispose(disposing);
}
}
}

1
ShareX.HelpersLib/ShareX.HelpersLib.csproj
View file

@ -150,6 +150,7 @@
</Compile>
<Compile Include="Helpers\JsonHelpers.cs" />
<Compile Include="ImageFilesCache.cs" />
<Compile Include="MaxLengthStream.cs" />
<Compile Include="PointInfo.cs" />
<Compile Include="Random\RandomCrypto.cs" />
<Compile Include="Random\RandomFast.cs" />

38
ShareX.HelpersLib/ZipManager.cs
View file

@ -27,15 +27,25 @@
using System.Collections.Generic;
using System.IO;
using System.IO.Compression;
using System.Linq;
namespace ShareX.HelpersLib
{
public static class ZipManager
{
public static void Extract(string archivePath, string destination, bool retainDirectoryStructure = true, Func<ZipArchiveEntry, bool> filter = null)
public static void Extract(string archivePath, string destination, bool retainDirectoryStructure = true, Func<ZipArchiveEntry, bool> filter = null, long maxLength = 0)
{
using (ZipArchive archive = ZipFile.OpenRead(archivePath))
{
if (maxLength > 0)
{
long declaredSize = archive.Entries.Sum(entry => entry.Length);
if (declaredSize > maxLength)
{
throw new Exception("Archive is too big.");
}
}
string fullName = Directory.CreateDirectory(Path.GetFullPath(destination)).FullName;
foreach (ZipArchiveEntry entry in archive.Entries)
@ -70,13 +80,37 @@ public static void Extract(string archivePath, string destination, bool retainDi
else
{
Directory.CreateDirectory(Path.GetDirectoryName(fullPath));
entry.ExtractToFile(fullPath, true);
ExtractToFile(entry, fullPath, true);
}
}
}
}
}
private static void ExtractToFile(ZipArchiveEntry source, string destinationFileName, bool overwrite)
{
if (source == null)
{
throw new ArgumentNullException(nameof(source));
}
if (destinationFileName == null)
{
throw new ArgumentNullException(nameof(destinationFileName));
}
FileMode fMode = overwrite ? FileMode.Create : FileMode.CreateNew;
using (FileStream fs = new FileStream(destinationFileName, fMode, FileAccess.Write, FileShare.None, bufferSize: 0x1000, useAsync: false))
using (Stream es = source.Open())
using (MaxLengthStream maxLengthStream = new MaxLengthStream(es, source.Length))
{
maxLengthStream.CopyTo(fs);
}
File.SetLastWriteTime(destinationFileName, source.LastWriteTime.DateTime);
}
public static void Compress(string source, string archivePath, CompressionLevel compression = CompressionLevel.Optimal)
{
if (File.Exists(archivePath))

2
ShareX.ImageEffectsLib/ImageEffectPackager.cs
View file

@ -99,7 +99,7 @@ public static string ExtractPackage(string packageFilePath, string destination)
}
return false;
});
}, 20000000);
}
return configJson;