Skip to content

Instantly share code, notes, and snippets.

@aibaars

aibaars/_summary.md Secret

Created February 20, 2023 15:37
Show Gist options
  • Save aibaars/b1456bbab6c13ed6e3192819ad95632d to your computer and use it in GitHub Desktop.
Save aibaars/b1456bbab6c13ed6e3192819ad95632d to your computer and use it in GitHub Desktop.
Download ZIP
Arbitrary file write during zipfile/tarfile extraction (ruby) 9 results (1 repository)
Raw
_summary.md

Results for "Arbitrary file write during zipfile/tarfile extraction"

Query 
/**
 * @name Arbitrary file write during zipfile/tarfile extraction
 * @description Extracting files from a malicious tar archive without validating that the
 *              destination file path is within the destination directory can cause files outside
 *              the destination directory to be overwritten.
 * @kind path-problem
 * @id rb/zip-slip
 * @problem.severity error
 * @security-severity 7.5
 * @precision medium
 * @tags security
 *       external/cwe/cwe-022
 */

import ruby
import codeql.ruby.security.ZipSlipQuery
import DataFlow::PathGraph

from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
  "potentially untrusted source"

Summary

Repository Results
discourse/discourse 9 result(s)
Raw
result-1-discourse-discourse.md

discourse/discourse

lib/compression/gzip.rb

      end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))
Path with 16 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))
Path with 16 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))

lib/compression/gzip.rb

      end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))
Path with 16 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))
Path with 16 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))

lib/compression/gzip.rb

      end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))
Path with 16 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))
Path with 16 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/gzip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/gzip.rb

          end # Change this later.

      ::File.open(entry_path, "wb") do |os|
        buf = "".dup
        while (buf = entry.read(chunk_size))

lib/compression/strategy.rb

      end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size
Path with 16 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size
Path with 16 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size

lib/compression/strategy.rb

      end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size
Path with 16 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size
Path with 16 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size

lib/compression/strategy.rb

      end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size
Path with 16 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size
Path with 16 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/strategy.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/strategy.rb

          end

      ::File.open(entry_path, "wb") do |os|
        while (buf = entry.read(chunk_size))
          remaining_size -= buf.size

lib/compression/zip.rb

      end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Path with 16 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Path with 16 steps

  1. lib/compression/gzip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  2. lib/compression/gzip.rb

        def get_compressed_file_stream(compressed_file_path)
      gzip = Zlib::GzipReader.open(compressed_file_path)
      yield(gzip)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)

lib/compression/zip.rb

      end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Path with 16 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Path with 16 steps

  1. lib/compression/tar.rb

        def get_compressed_file_stream(compressed_file_path)
      file_stream = IO.new(IO.sysopen(compressed_file_path))
      tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)

  2. lib/compression/tar.rb

          tar_extract = Gem::Package::TarReader.new(file_stream)
      tar_extract.rewind
      yield(tar_extract)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)

lib/compression/zip.rb

      end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)

This file extraction depends on a potentially untrusted source.

Paths

Path with 14 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  6. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  7. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  9. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  10. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  12. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  13. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  14. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Path with 16 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/zip.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  11. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  12. lib/compression/zip.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Path with 16 steps

  1. lib/compression/zip.rb

    
    def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  2. lib/compression/zip.rb

        def get_compressed_file_stream(compressed_file_path)
      zip_file = ::Zip::File.open(compressed_file_path)
      yield(zip_file)
    end

  3. lib/compression/strategy.rb

          sanitized_dest_path = sanitize_path(dest_path)

      get_compressed_file_stream(sanitized_compressed_file_path) do |compressed_file|
        available_size = calculate_available_size(max_size)

  4. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  5. lib/compression/strategy.rb

        end

    def entries_of(compressed_file)
      compressed_file
    end

  6. lib/compression/strategy.rb

    
    def entries_of(compressed_file)
      compressed_file
    end

  7. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  8. lib/compression/strategy.rb

            available_size = calculate_available_size(max_size)

        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  9. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  10. lib/compression/tar.rb

        end

    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  11. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  12. lib/compression/tar.rb

    
    def build_entry_path(dest_path, entry, _)
      File.join(dest_path, entry.full_name)
    end

  13. lib/compression/strategy.rb

    
        entries_of(compressed_file).each do |entry|
          entry_path = build_entry_path(sanitized_dest_path, entry, sanitized_compressed_file_path)
          next if !is_safe_path_for_extraction?(entry_path, sanitized_dest_path)

  14. lib/compression/strategy.rb

              FileUtils.mkdir_p(File.dirname(entry_path))
          if is_file?(entry)
            remaining_size = extract_file(entry, entry_path, available_size)
            available_size = remaining_size
          else

  15. lib/compression/zip.rb

        end

    def extract_file(entry, entry_path, available_size)
      remaining_size = available_size

  16. lib/compression/zip.rb

          end

      ::File.open(entry_path, "wb") do |os|
        entry.get_input_stream do |is|
          entry.set_extra_attributes_on_path(entry_path)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment