Re: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’.

From:	ng0
Subject:	Re: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’.
Date:	Sat, 28 Jan 2017 17:55:13 +0000

Tobias Geerinckx-Rice <address@hidden> writes:

> From this suggestion by Ludovic Courtès:
> <http://lists.gnu.org/archive/html/guix-devel/2016-09/msg01983.html>
>
> * guix/download.scm (url-fetch/zipbomb): New procedure.
> ---
>  guix/download.scm | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
>
> diff --git a/guix/download.scm b/guix/download.scm
> index e218c2e..80efb9d 100644
> --- a/guix/download.scm
> +++ b/guix/download.scm
> @@ -36,6 +36,7 @@
>    #:export (%mirrors
>              url-fetch
>              url-fetch/tarbomb
> +            url-fetch/zipbomb
>              download-to-store))
>  
>  ;;; Commentary:
> @@ -512,6 +513,35 @@ own.  This helper makes it easier to deal with \"tar 
> bombs\"."
>                                            "xf" #$drv)))
>                        #:local-build? #t)))
>  
> +(define* (url-fetch/zipbomb url hash-algo hash
> +                            #:optional name
> +                            #:key (system (%current-system))
> +                            (guile (default-guile)))
> +  "Similar to 'url-fetch' but unpack the zip file at URL in a directory of 
> its
> +own.  This helper makes it easier to deal with \"zip bombs\"."
> +  (define file-name
> +    (match url
> +      ((head _ ...)
> +       (basename head))
> +      (_
> +       (basename url))))
> +  (define unzip
> +    (module-ref (resolve-interface '(gnu packages zip)) 'unzip))
> +
> +  (mlet %store-monad ((drv (url-fetch url hash-algo hash
> +                                      (string-append "zipbomb-"
> +                                                     (or name file-name))
> +                                      #:system system
> +                                      #:guile guile)))
> +    ;; Take the zip bomb, and simply unpack it as a directory.
> +    (gexp->derivation (or name file-name)
> +                      #~(begin
> +                          (mkdir #$output)
> +                          (chdir #$output)
> +                          (zero? (system* (string-append #$unzip 
> "/bin/unzip")
> +                                          #$drv)))
> +                      #:local-build? #t)))
> +
>  (define* (download-to-store store url #:optional (name (basename url))
>                              #:key (log (current-error-port)) recursive?
>                              (verify-certificate? #t))
> -- 
> 2.9.3
>
>

Looks good to me at first, on functionality side I can atest that
the zpaq build succeeds with this.
-- 
♥Ⓐ  ng0 -- https://www.inventati.org/patternsinthechaos/

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 1/3] download: url-fetch/tarball: Make ‘name’ truly optional., Tobias Geerinckx-Rice, 2017/01/27
- [PATCH 2/3] download: Add ‘url-fetch/zipbomb’., Tobias Geerinckx-Rice, 2017/01/27
  - Re: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’., ng0 <=
  - Re: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’., Ludovic Courtès, 2017/01/30
- [PATCH 3/3] gnu: Add zpaq., Tobias Geerinckx-Rice, 2017/01/27
  - Re: [PATCH 3/3] gnu: Add zpaq., ng0, 2017/01/28
    - Re: [PATCH 3/3] gnu: Add zpaq., Tobias Geerinckx-Rice, 2017/01/28
  - Re: [PATCH 3/3] gnu: Add zpaq., Ludovic Courtès, 2017/01/30
    - Re: [PATCH 3/3] gnu: Add zpaq., Tobias Geerinckx-Rice, 2017/01/30
- Re: [PATCH 1/3] download: url-fetch/tarball: Make ‘name’ truly optional., ng0, 2017/01/28
- Re: [PATCH 1/3] download: url-fetch/tarball: Make ‘name’ truly optional., Ludovic Courtès, 2017/01/30

Prev by Date: Re: [PATCH 3/3] gnu: Add zpaq.
Next by Date: Re: [PATCH 3/3] gnu: Add zpaq.
Previous by thread: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’.
Next by thread: Re: [PATCH 2/3] download: Add ‘url-fetch/zipbomb’.
Index(es):
- Date
- Thread