Merge branch 'master' into oldpr434

zip-rs · May 10, 2024 · d960e33 · d960e33
2 parents 0dc6c72 + e569087
commit d960e33
Show file tree

Hide file tree

Showing 4,602 changed files with 2,432 additions and 652 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -6,7 +6,6 @@ on:
       - 'master'
   push:
     branches-ignore:
-      - 'release-plz-**'
       - 'gh-readonly-queue/**'
   workflow_dispatch:
   merge_group:
@@ -22,14 +21,15 @@ jobs:
       matrix:
         os: [ubuntu-latest, macOS-latest, windows-latest]
         rustalias: [stable, nightly, msrv]
+        feature_flag: ["--all-features", "--no-default-features", ""]
         include:
         - rustalias: stable
           rust: stable
         - rustalias: msrv
           rust: '1.70'
         - rustalias: nightly
           rust: nightly
-    name: 'Build and test: ${{ matrix.os }}, ${{ matrix.rustalias }}'
+    name: 'Build and test ${{ matrix.feature_flag }}: ${{ matrix.os }}, ${{ matrix.rustalias }}'
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@master
@@ -44,47 +44,59 @@ jobs:
       uses: actions-rs/cargo@v1
       with:
         command: check
-        args: --all --bins --examples
+        args: --all ${{ matrix.feature_flag }} --bins --examples
 
     - name: Tests
       uses: actions-rs/cargo@v1
       with:
         command: test
-        args: --all
+        args: --all ${{ matrix.feature_flag }}
 
-    - name: Tests (no features)
-      uses: actions-rs/cargo@v1
-      with:
-        command: test
-        args: --all --no-default-features
-
-  style_and_docs:
+  cargo_fmt:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions-rs/toolchain@v1
         with:
           profile: minimal
           toolchain: nightly
           override: true
-          components: rustfmt, clippy
+          components: rustfmt
       - name: fmt
         run: cargo fmt --all -- --check
-      - name: clippy
-        uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: --all-targets --all-features -- -D warnings
-      - name: Docs
-        run: cargo doc --no-deps
+
+  style_and_docs:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    strategy:
+      matrix:
+        feature_flag: ["--all-features", "--no-default-features", ""]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions-rs/toolchain@v1
+      with:
+        profile: minimal
+        toolchain: nightly
+        override: true
+        components: clippy
+    - name: clippy
+      uses: actions-rs/cargo@v1
+      with:
+        command: clippy
+        args: --all-targets ${{ matrix.feature_flag }} -- -D warnings
+    - name: docs
+      uses: actions-rs/cargo@v1
+      with:
+        command: doc
+        args: --no-deps ${{ matrix.feature_flag }}
 
   fuzz_read:
     runs-on: ubuntu-latest
     needs:
       - build_and_test
+      - cargo_fmt
       - style_and_docs
     steps:
       - uses: actions/checkout@v4
@@ -107,7 +119,7 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: fuzz
-          args: run --all-features fuzz_read -- fuzz/corpus/seed -timeout=10s -fork=2 -runs=25000000 -max_len=1300 -len_control=0 -dict=fuzz/fuzz.dict
+          args: run --all-features fuzz_read -- fuzz/corpus/fuzz_read -timeout=10s -fork=2 -runs=25000000 -max_len=1300 -len_control=0 -dict=fuzz/fuzz.dict
       - name: Upload any failure inputs
         if: always()
         uses: actions/upload-artifact@v4
@@ -120,7 +132,7 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: fuzz
-          args: cmin --all-features fuzz_read fuzz/corpus/seed -- fuzz/corpus/new_seed
+          args: cmin --all-features fuzz_read fuzz/corpus/fuzz_read -- fuzz/corpus/new_seed
       - name: Upload updated seed corpus
         if: always()
         uses: actions/upload-artifact@v4
@@ -132,6 +144,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build_and_test
+      - cargo_fmt
       - style_and_docs
     steps:
       - uses: actions/checkout@v4
@@ -154,7 +167,7 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: fuzz
-          args: run --no-default-features fuzz_read -- fuzz/corpus/seed -timeout=10s -fork=2 -runs=40000000 -max_total_time=19800 -max_len=16384 -len_control=0 -dict=fuzz/fuzz.dict
+          args: run --no-default-features fuzz_read fuzz/corpus/fuzz_read -- -timeout=10s -fork=2 -runs=40000000 -max_total_time=19800 -max_len=16384 -len_control=0 -dict=fuzz/fuzz.dict
       - name: Upload any failure inputs
         if: always()
         uses: actions/upload-artifact@v4
@@ -167,7 +180,7 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: fuzz
-          args: cmin --no-default-features fuzz_read fuzz/corpus/seed -- fuzz/corpus/new_seed
+          args: cmin --no-default-features fuzz_read fuzz/corpus/fuzz_read -- fuzz/corpus/new_seed
       - name: Upload updated seed corpus
         if: always()
         uses: actions/upload-artifact@v4
@@ -179,6 +192,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build_and_test
+      - cargo_fmt
       - style_and_docs
     steps:
       - uses: actions/checkout@v4
@@ -201,13 +215,16 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: fuzz
-          args: run --all-features fuzz_write -- -timeout=10s -fork=2 -runs=2500000 -max_len=1100 -len_control=200 -dict=fuzz/fuzz.dict
+          args: run --all-features fuzz_write fuzz/corpus/fuzz_write -- -timeout=2s -fork=2 -runs=1000000 -max_len=500 -dict=fuzz/fuzz.dict
       - name: Upload any failure inputs
         if: always()
         uses: actions/upload-artifact@v4
         with:
           name: fuzz_write_bad_inputs
-          path: fuzz/artifacts/fuzz_write/crash-*
+          path: |
+            fuzz/artifacts/fuzz_write/crash-*
+            fuzz/artifacts/fuzz_write/leak-*
+            fuzz/artifacts/fuzz_write/timeout-*
           if-no-files-found: ignore
       - name: Minimize seed corpus
         if: always()
@@ -226,6 +243,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build_and_test
+      - cargo_fmt
       - style_and_docs
     steps:
       - uses: actions/checkout@v4
@@ -248,7 +266,7 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: fuzz
-          args: run --no-default-features fuzz_write -- -timeout=10s -fork=2 -runs=20000000 -max_len=10000 -len_control=200 -dict=fuzz/fuzz.dict
+          args: run --no-default-features fuzz_write fuzz/corpus/fuzz_write -- -timeout=10s -fork=2 -runs=50000000 -max_len=10000 -len_control=200 -dict=fuzz/fuzz.dict
       - name: Upload any failure inputs
         if: always()
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -21,6 +21,19 @@ jobs:
           toolchain: nightly
           override: true
           profile: minimal
+      - name: Close old release PR
+        run: |
+          # List all opened PRs which head branch starts with "release-plz-"
+          release_pr=$(gh pr list --state='open' --json number,headRefName --jq '.[] | select(.headRefName | startswith("release-plz-")) | .number')
+          # Close the release PR if there is one
+          if [[ -n "$release_pr" ]]; then
+            echo "Closing old release PR $release_pr"
+            gh pr close $release_pr
+          else
+            echo "No open release PR"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_PAT }}
       - name: Run release-plz
         uses: MarcoIeni/[email protected]
         env:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,63 @@
 # Changelog
 
+## [1.2.2](https://github.com/zip-rs/zip2/compare/v1.2.1...v1.2.2) - 2024-05-09
+
+### <!-- 1 -->🐛 Bug Fixes
+- Failed to clear "writing_raw" before finishing a symlink, leading to dropped extra fields
+
+### <!-- 4 -->⚡ Performance
+- Use boxed slice for archive comment, since it can't be concatenated
+- Optimize for the fact that false signatures can't overlap with real ones
+
+## [1.2.1](https://github.com/zip-rs/zip2/compare/v1.2.0...v1.2.1) - 2024-05-06
+
+### <!-- 1 -->🐛 Bug Fixes
+- Prevent panic when trying to read a file with an unsupported compression method
+- Prevent panic after reading an invalid LZMA file
+- Make `Stored` the default compression method if `Deflated` isn't available, so that zip files are readable by as much software as possible
+- version_needed was wrong when e.g. cfg(bzip2) but current file wasn't bzip2 ([#100](https://github.com/zip-rs/zip2/pull/100))
+- file paths shouldn't start with slashes ([#102](https://github.com/zip-rs/zip2/pull/102))
+
+### <!-- 2 -->🚜 Refactor
+- Overhaul `impl Arbitrary for FileOptions`
+- Remove unused `atomic` module
+
+## [1.2.0](https://github.com/zip-rs/zip2/compare/v1.1.4...v1.2.0) - 2024-05-06
+
+### <!-- 0 -->🚀 Features
+- Add method `decompressed_size()` so non-recursive ZIP bombs can be detected
+
+### <!-- 2 -->🚜 Refactor
+- Make `ZipWriter::finish()` consume the `ZipWriter`
+
+### <!-- 7 -->⚙️ Miscellaneous Tasks
+- Use panic! rather than abort to ensure the fuzz harness can process the failure
+- Update fuzz_write to use replace_with
+- Remove a drop that can no longer be explicit
+- Add `#![allow(unexpected_cfgs)]` in nightly
+
+## [1.1.4](https://github.com/zip-rs/zip2/compare/v1.1.3...v1.1.4) - 2024-05-04
+
+### <!-- 1 -->🐛 Bug Fixes
+- Build was failing with bzip2 enabled
+- use is_dir in more places where Windows paths might be handled incorrectly
+
+### <!-- 4 -->⚡ Performance
+- Quick filter for paths that contain "/../" or "/./" or start with "./" or "../"
+- Fast handling for separator-free paths
+- Speed up logic if main separator isn't '/'
+- Drop `normalized_components` slightly sooner when not using it
+- Speed up `path_to_string` in cases where the path is already in the proper format
+
+### <!-- 7 -->⚙️ Miscellaneous Tasks
+- Refactor: can short-circuit handling of paths that start with MAIN_SEPARATOR, no matter what MAIN_SEPARATOR is
+- Bug fix: non-canonical path detection when MAIN_SEPARATOR is not slash or occurs twice in a row
+- Bug fix: must recreate if . or .. is a path element
+- Bug fix
+
+### <!-- 9 -->◀️ Revert
+- [#58](https://github.com/zip-rs/zip2/pull/58) (partial): `bzip2-rs` can't replace `bzip2` because it's decompress-only
+
 ## [1.1.3](https://github.com/zip-rs/zip2/compare/v1.1.2...v1.1.3) - 2024-04-30
 
 ### <!-- 1 -->🐛 Bug Fixes

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,7 +1 @@
-Pull requests are welcome, but they're subject to some requirements:
-
-* They must build against the MSRV, the latest stable Rust version, and the nightly Rust version, both with `--no-default-features` and with `--all-features`.
-* They must pass fuzz tests (see the Actions tab).
-* Commit messages must conform to [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and start with 
-  one of the types specified by the [Angular convention](https://github.com/angular/angular/blob/22b96b9/CONTRIBUTING.md#type). 
-* All commits must be signed.
+Pull requests are welcome, but they're subject to some requirements that a lot of them don't meet. See https://github.com/zip-rs/zip2/raw/master/pull_request_template.md for details.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "zip"
-version = "1.1.3"
+version = "1.2.2"
 authors = [
     "Mathijs van de Nes <[email protected]>",
     "Marli Frost <[email protected]>",
@@ -23,18 +23,22 @@ time = { version = "0.3.36", default-features = false }
 
 [dependencies]
 aes = { version = "0.8.4", optional = true }
-byteorder = "1.5.0"
 bzip2 = { version = "0.4.4", optional = true }
 chrono = { version = "0.4.38", optional = true }
 constant_time_eq = { version = "0.3.0", optional = true }
 crc32fast = "1.4.0"
+displaydoc = { version = "0.2.4", default-features = false }
 flate2 = { version = "1.0.28", default-features = false, optional = true }
+indexmap = "2"
 hmac = { version = "0.12.1", optional = true, features = ["reset"] }
 pbkdf2 = { version = "0.12.2", optional = true }
+rand = { version = "0.8.5", optional = true }
 sha1 = { version = "0.10.6", optional = true }
+thiserror = "1.0.48"
 time = { workspace = true, optional = true, features = [
     "std",
 ] }
+zeroize = { version = "1.6.0", optional = true, features = ["zeroize_derive"] }
 zstd = { version = "0.13.1", optional = true, default-features = false }
 zopfli = { version = "0.8.0", optional = true }
 deflate64 = { version = "0.1.8", optional = true }
@@ -52,8 +56,10 @@ getrandom = { version = "0.2.14", features = ["js"] }
 walkdir = "2.5.0"
 time = { workspace = true, features = ["formatting", "macros"] }
 anyhow = "1"
+clap = { version = "=4.4.18", features = ["derive"] }
+
 [features]
-aes-crypto = ["aes", "constant_time_eq", "hmac", "pbkdf2", "sha1"]
+aes-crypto = ["aes", "constant_time_eq", "hmac", "pbkdf2", "sha1", "rand", "zeroize"]
 chrono = ["chrono/default"]
 _deflate-any = []
 deflate = ["flate2/rust_backend", "_deflate-any"]
@@ -85,3 +91,7 @@ harness = false
 [[bench]]
 name = "read_metadata"
 harness = false
+
+[[bench]]
+name = "merge_archive"
+harness = false
diff --git a/README.md b/README.md
@@ -70,6 +70,7 @@ See the [examples directory](examples) for:
    * How to extract a zip file.
    * How to extract a single file from a zip.
    * How to read a zip from the standard input.
+   * How to append a directory to an existing archive
 
 Fuzzing
 -------