This commit expands filepathDescendsFrom(string, string) to handle edge cases such as mixing absolute and relative paths or artifact name edge cases.
Additionally, tests for filepathDescendsFrom() and downloadrun() have been expanded to verify additional use cases.
This incorporates the work done by @williammartin to improve reasoning about `gh run download` behavior through testing while verifying a simpler solution to checking if a path is contained within a directory.
This builds off suggestion to reuse logic used already within `gh run download` for detecting path traversals.
This largely works but runs into an issue where detection logic doesn't handle non-separated traversal.
This commit addresses the documentation issue.
The discussion at #7018 has confirmed that it is undocumented that
the current behavior of `gh run download` with `-n` and no `run-id`
downloads the latest artifact.
Although the behavior has not been created intentionally, it is the one
that should be documented and the future releases should warn before
a breaking change.
Found with
rg '(^ | \t|\t )' -g '*.go' -g '!*_test.go'
Mixed indent exceptions:
- wrapped long list items with extra 2-space indent
- code snippets using space indent
- commented code lines having "\t*// \t+" prefix
To prevent zipslip, we verify that each extracted file would fall
strictly under the prefix of the path to extract to. However, this
yielded a false positive when extracting to `.`, which is the default
for downloading a single archive.
- With no arguments in TTY mode, prompt which artifacts to download
- Change `--pattern` argument to be just `--name` and only do exact
matching
- For multi-archive downloads, prefix the destination path with the name
of the artifact
- Add tests exercising HTTP functionality
- Avoid "zipslip" path injection when extracting ZIP files
- Add tests for ZIP extraction
