test/tools: import path traversal tests from squahfs-tools-ng

This adds a test for the path traversal vulnerability in rdsquashfs and adapted to work with sqsh-unpack. Thanks to @AgentD and the squahfs-tools-ng project to provide these tests.
Gottox · Aug 10, 2023 · a1e2523 · a1e2523
1 parent 825cf2a
commit a1e2523
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/test/meson.build b/test/meson.build
@@ -42,6 +42,7 @@ sqsh_extended_test = [
     'tools/cat/large-file-uncompressed.sh',
     'tools/read-chunk/tail.sh',
     'tools/unpack/repack.sh',
+    'tools/unpack/pathtraversal/pathtraversal.sh',
 ]
 sqsh_extended_fs_test = [
     'tools/fs/large-file.sh',

diff --git a/test/tools/unpack/pathtraversal/README.md b/test/tools/unpack/pathtraversal/README.md
@@ -0,0 +1 @@
+These script and archives are taken from the [squashfs-tools-ng project](https://github.com/AgentD/squashfs-tools-ng/tree/72c8155d9fc0eaeac72c053f46ebb7b231d4596a/bin/rdsquashfs/test)
diff --git a/test/tools/unpack/pathtraversal/pathtraversal.sh b/test/tools/unpack/pathtraversal/pathtraversal.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+REFFILE="$SOURCE_ROOT/test/tools/ls/pathtraversal/pathtraversal.sqfs"
+GOTCHA="/tmp/gotcha.txt"
+
+if "$SQSH_UNPACK" "$REFFILE" / ""; then
+	if [ -e "$GOTCHA" ]; then
+		echo "Found $GOTCHA which should not be there"
+		exit 1
+	fi
+fi
diff --git a/test/tools/unpack/pathtraversal/pathtraversal.sqfs b/test/tools/unpack/pathtraversal/pathtraversal.sqfs