mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-07-10 08:25:22 +02:00
test(drop): add security tests for traversal prevention in unzipDrop function
- Introduced a new test suite to validate that the unzipDrop function prevents writing outside the application directory, specifically addressing potential sandbox escape vulnerabilities. - Implemented setup and teardown logic to ensure a clean test environment for each test run.
This commit is contained in:
@@ -285,6 +285,45 @@ describe("unzipDrop path under output (no traversal)", () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe("security: traversal inside BASE_PATH (sandbox escape)", () => {
|
||||||
|
beforeAll(async () => {
|
||||||
|
await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
|
||||||
|
});
|
||||||
|
|
||||||
|
afterAll(async () => {
|
||||||
|
await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
|
||||||
|
});
|
||||||
|
|
||||||
|
it("should NOT allow writing outside application directory but inside BASE_PATH", async () => {
|
||||||
|
const appName = "sandbox-escape";
|
||||||
|
|
||||||
|
const base = APPLICATIONS_PATH.replace("/applications", "");
|
||||||
|
const output = path.join(APPLICATIONS_PATH, appName, "code");
|
||||||
|
|
||||||
|
await fs.mkdir(output, { recursive: true });
|
||||||
|
|
||||||
|
// attacker writes into traefik config inside base
|
||||||
|
const zip = new AdmZip();
|
||||||
|
zip.addFile(
|
||||||
|
"../../../traefik/dynamic/evil.yml",
|
||||||
|
Buffer.from("pwned: true"),
|
||||||
|
);
|
||||||
|
|
||||||
|
const file = new File([zip.toBuffer() as any], "exploit.zip");
|
||||||
|
|
||||||
|
await unzipDrop(file, { ...baseApp, appName });
|
||||||
|
|
||||||
|
const escapedPath = path.join(base, "traefik/dynamic/evil.yml");
|
||||||
|
|
||||||
|
const exists = await fs
|
||||||
|
.readFile(escapedPath)
|
||||||
|
.then(() => true)
|
||||||
|
.catch(() => false);
|
||||||
|
|
||||||
|
expect(exists).toBe(false);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
describe("unzipDrop using real zip files", () => {
|
describe("unzipDrop using real zip files", () => {
|
||||||
// const { APPLICATIONS_PATH } = paths();
|
// const { APPLICATIONS_PATH } = paths();
|
||||||
beforeAll(async () => {
|
beforeAll(async () => {
|
||||||
|
|||||||
Reference in New Issue
Block a user