fix(archive): enforce extraction resource limits

2026-05-08 00:51:25 +00:00 · 2026-02-14 15:30:05 +01:00
parent c8424bf29a
commit d3ee5deb87
3 changed files with 200 additions and 39 deletions
--- a/src/infra/archive.test.ts
+++ b/src/infra/archive.test.ts
@@ -96,4 +96,45 @@ describe("archive utils", () => {
      extractArchive({ archivePath, destDir: extractDir, timeoutMs: 5_000 }),
    ).rejects.toThrow(/escapes destination/i);
  });
+
+  it("rejects zip archives that exceed extracted size budget", async () => {
+    const workDir = await makeTempDir();
+    const archivePath = path.join(workDir, "bundle.zip");
+    const extractDir = path.join(workDir, "extract");
+
+    const zip = new JSZip();
+    zip.file("package/big.txt", "x".repeat(64));
+    await fs.writeFile(archivePath, await zip.generateAsync({ type: "nodebuffer" }));
+
+    await fs.mkdir(extractDir, { recursive: true });
+    await expect(
+      extractArchive({
+        archivePath,
+        destDir: extractDir,
+        timeoutMs: 5_000,
+        limits: { maxExtractedBytes: 32 },
+      }),
+    ).rejects.toThrow("archive extracted size exceeds limit");
+  });
+
+  it("rejects tar archives that exceed extracted size budget", async () => {
+    const workDir = await makeTempDir();
+    const archivePath = path.join(workDir, "bundle.tar");
+    const extractDir = path.join(workDir, "extract");
+    const packageDir = path.join(workDir, "package");
+
+    await fs.mkdir(packageDir, { recursive: true });
+    await fs.writeFile(path.join(packageDir, "big.txt"), "x".repeat(64));
+    await tar.c({ cwd: workDir, file: archivePath }, ["package"]);
+
+    await fs.mkdir(extractDir, { recursive: true });
+    await expect(
+      extractArchive({
+        archivePath,
+        destDir: extractDir,
+        timeoutMs: 5_000,
+        limits: { maxExtractedBytes: 32 },
+      }),
+    ).rejects.toThrow("archive extracted size exceeds limit");
+  });
 });