From ca90fcf221768df0cf03e8db5c043af82cb79180 Mon Sep 17 00:00:00 2001
From: rhaidiz <rhaidiz@protonmail.com>
Date: Wed, 9 Sep 2020 17:29:00 +0200
Subject: [PATCH] Add test core extraction

---
 test/test_core.py             |   9 +++++++++
 test/testdata/evil.zip        | Bin 0 -> 2184 bytes
 test/testdata/test_index.json |  31 +++++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 test/testdata/evil.zip

diff --git a/test/test_core.py b/test/test_core.py
index ffc0ac70b30..bf33b1c0de1 100644
--- a/test/test_core.py
+++ b/test/test_core.py
@@ -194,3 +194,12 @@ def test_core_uninstall(run_command):
     result = run_command("core list --format json")
     assert result.ok
     assert not _in(result.stdout, "arduino:avr")
+
+
+def test_core_zipslip(run_command):
+    url = "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/test_index.json"
+    assert run_command("core update-index --additional-urls={}".format(url))
+
+    # Install a core and check if malicious content has been extracted.
+    run_command("core install zipslip:x86 --additional-urls={}".format(url))
+    assert os.path.exists("/tmp/evil.txt") is False
diff --git a/test/testdata/evil.zip b/test/testdata/evil.zip
new file mode 100644
index 0000000000000000000000000000000000000000..8353c005aee896715da515c0a5de8d721afa77dc
GIT binary patch
literal 2184
zcmWIWW@Zs#;Nak3KnET`0X@AKvQbHHK}>2{W{zG-MG03SFCQZd1H=FS0p9E!J0`z+
z#|1PUD8LYa)BYf!Y;k^WYD__5Ne21O0J@)2mv{nQGN29!2035=!h!)aRWJdaqNhhN
zKC$S8q$hnnJu(q67WIivPgv}Sr6+w*dLq*e5XV#M5>R>?PzQk0lRhXt(Jw3*nM4>6
z<qUEO07@6Afb1d%Ew2Z7<F*x)8W5lX$fSP$!e>7y4Ils)BNa;+eAa?u9s#;R*3!`5
z&|HWd+o19T0mOh@Jw3RCv8YE)9RXnV<mVmaoQuy^)YNeSXe;$|3qJc%Q%4jt70U~J
e)}p44+aPOc;cr$pPzvA#LLOifAPv+EU;qGJcBr8M

literal 0
HcmV?d00001

diff --git a/test/testdata/test_index.json b/test/testdata/test_index.json
index e79cb056a17..21c852546f8 100644
--- a/test/testdata/test_index.json
+++ b/test/testdata/test_index.json
@@ -49,6 +49,37 @@
             "tools": [],
             "email": "test@example.com",
             "name": "test"
+        },
+        {
+            "name": "zipslip",
+            "tools": [],
+            "email": "test@example.com",
+            "maintainer": "Arduino",
+            "help": {
+                "online": "https://github.com/Arduino/arduino-cli"
+            },
+            "websiteURL": "https://github.com/Arduino/arduino-cli",
+            "platforms": [
+                {
+                    "category": "Zipslip Test",
+                    "help": {
+                        "online": "https://github.com/Arduino/arduino-cli"
+                    },
+                    "url": "https://raw.githubusercontent.com/arduino/arduino-cli/master/test/testdata/evil.zip",
+                    "checksum": "SHA-256:9b85dfe23f13318efc0e541327f584a0f3674a773d46a7eb8b25f0f408d07f96",
+                    "name": "zipslip",
+                    "version": "1.0.0",
+                    "architecture": "x86",
+                    "archiveFileName": "evil.zip",
+                    "size": "2184",
+                    "toolsDependencies": [],
+                    "boards": [
+                        {
+                            "name": "Test Board"
+                        }
+                    ]
+                }
+            ]
         }
     ]
 }
\ No newline at end of file