feat(cli): add archive command for cross-host data transport (#610)

* feat(cli): add archive command for cross-host data transport * fix(archive): correct flat-layout path and entry-count wording * refactor(archive): rename BuildArchive to WriteArchive
2026-06-10 20:07:46 +02:00 · 2026-06-07 15:58:33 +08:00
parent f1219e49ab
commit cd0b2daaf3
11 changed files with 543 additions and 15 deletions
@@ -3,9 +3,12 @@ package fileutil
 import (
 	"archive/zip"
 	"bytes"
+	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )

 // FileExists checks if the file exists in the provided path.
@@ -88,3 +91,102 @@ func writeFile(buffer *bytes.Buffer, filename string) error {

 	return nil
 }
+
+// ZipDir writes every file under srcDir into a new zip at zipPath, preserving the relative directory
+// layout with forward-slash entry names. Unlike CompressDir it neither flattens names nor deletes the
+// source — it is the producer side of cross-host archive transport.
+func ZipDir(zipPath, srcDir string) error {
+	out, err := os.Create(zipPath)
+	if err != nil {
+		return fmt.Errorf("create %s: %w", zipPath, err)
+	}
+	defer func() { _ = out.Close() }()
+
+	zw := zip.NewWriter(out)
+	walkErr := filepath.WalkDir(srcDir, func(p string, d os.DirEntry, walkErr error) error {
+		if walkErr != nil {
+			return walkErr
+		}
+		if d.IsDir() {
+			return nil
+		}
+		rel, err := filepath.Rel(srcDir, p)
+		if err != nil {
+			return err
+		}
+		w, err := zw.Create(filepath.ToSlash(rel))
+		if err != nil {
+			return err
+		}
+		src, err := os.Open(p) //nolint:gosec // G122: staging tree is created and populated by us
+		if err != nil {
+			return err
+		}
+		defer func() { _ = src.Close() }()
+		_, err = io.Copy(w, src)
+		return err
+	})
+	if walkErr != nil {
+		_ = zw.Close()
+		return fmt.Errorf("zip %s: %w", srcDir, walkErr)
+	}
+	if err := zw.Close(); err != nil {
+		return fmt.Errorf("close zip %s: %w", zipPath, err)
+	}
+	return nil
+}
+
+// Unzip extracts zipPath into destDir, rejecting any entry whose path would escape destDir (Zip-Slip)
+// since a transported archive is not fully trusted.
+func Unzip(zipPath, destDir string) error {
+	r, err := zip.OpenReader(zipPath)
+	if err != nil {
+		return fmt.Errorf("open zip %s: %w", zipPath, err)
+	}
+	defer func() { _ = r.Close() }()
+
+	root := filepath.Clean(destDir)
+	for _, f := range r.File {
+		target := filepath.Join(root, filepath.FromSlash(f.Name))
+		if target != root && !strings.HasPrefix(target, root+string(os.PathSeparator)) {
+			return fmt.Errorf("zip entry %q escapes destination", f.Name)
+		}
+		if f.FileInfo().IsDir() {
+			if err := os.MkdirAll(target, 0o755); err != nil {
+				return err
+			}
+			continue
+		}
+		if err := os.MkdirAll(filepath.Dir(target), 0o755); err != nil {
+			return err
+		}
+		if err := writeZipEntry(f, target); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func writeZipEntry(f *zip.File, target string) error {
+	rc, err := f.Open()
+	if err != nil {
+		return err
+	}
+	defer func() { _ = rc.Close() }()
+
+	out, err := os.OpenFile(target, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o600)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = out.Close() }()
+
+	for {
+		_, err := io.CopyN(out, rc, 1<<20)
+		if errors.Is(err, io.EOF) {
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+	}
+}
@@ -0,0 +1,88 @@
+package fileutil
+
+import (
+	"archive/zip"
+	"bytes"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestZipDirUnzip_RoundTrip(t *testing.T) {
+	src := t.TempDir()
+	files := map[string][]byte{
+		"empty.txt":               {},
+		"small.txt":               []byte("hello"),
+		"Default/Network/Cookies": []byte("cookie-bytes"),
+		"sub/big.bin":             bytes.Repeat([]byte("A"), 3<<20), // 3 MiB: exercises the chunked copy loop
+	}
+	for rel, data := range files {
+		p := filepath.Join(src, filepath.FromSlash(rel))
+		if err := os.MkdirAll(filepath.Dir(p), 0o755); err != nil {
+			t.Fatal(err)
+		}
+		if err := os.WriteFile(p, data, 0o600); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	zipPath := filepath.Join(t.TempDir(), "out.zip")
+	if err := ZipDir(zipPath, src); err != nil {
+		t.Fatalf("ZipDir: %v", err)
+	}
+
+	zr, err := zip.OpenReader(zipPath)
+	if err != nil {
+		t.Fatalf("open zip: %v", err)
+	}
+	for _, f := range zr.File {
+		if strings.Contains(f.Name, `\`) {
+			t.Errorf("zip entry name must be forward-slash, got %q", f.Name)
+		}
+	}
+	if err := zr.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	dst := t.TempDir()
+	if err := Unzip(zipPath, dst); err != nil {
+		t.Fatalf("Unzip: %v", err)
+	}
+	for rel, want := range files {
+		got, err := os.ReadFile(filepath.Join(dst, filepath.FromSlash(rel)))
+		if err != nil {
+			t.Errorf("missing %s after Unzip: %v", rel, err)
+			continue
+		}
+		if !bytes.Equal(got, want) {
+			t.Errorf("%s: content mismatch (got %d bytes, want %d)", rel, len(got), len(want))
+		}
+	}
+}
+
+func TestUnzip_RejectsZipSlip(t *testing.T) {
+	zipPath := filepath.Join(t.TempDir(), "evil.zip")
+	f, err := os.Create(zipPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	zw := zip.NewWriter(f)
+	w, err := zw.Create("../escape.txt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := w.Write([]byte("pwned")); err != nil {
+		t.Fatal(err)
+	}
+	if err := zw.Close(); err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := Unzip(zipPath, t.TempDir()); err == nil {
+		t.Fatal("Unzip must reject an entry that escapes the destination")
+	}
+}