discourse/lib/compression/engine.rb
Jarek Radosz 4302097b3b
SECURITY: Prevent arbitrary file write when decompressing files (stable) (#18423)
* SECURITY: Prevent arbitrary file write when decompressing files
* FIX: Allow decompressing files into symlinked directories

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
2022-09-29 20:07:58 +02:00

28 lines
691 B
Ruby

# frozen_string_literal: true
module Compression
class Engine
UnsupportedFileExtension = Class.new(StandardError)
def self.default_strategies
[
Compression::Zip.new,
Compression::Pipeline.new([Compression::Tar.new, Compression::Gzip.new]),
Compression::Gzip.new,
Compression::Tar.new
]
end
def self.engine_for(filename, strategies: default_strategies)
strategy = strategies.detect(-> { raise UnsupportedFileExtension }) { |e| e.can_handle?(filename) }
new(strategy)
end
def initialize(strategy)
@strategy = strategy
end
delegate :extension, :decompress, :compress, to: :@strategy
end
end