Delete `NonSeekableStream` used in Zip64 tests in favor
of `ForwardOnlyStream` used in Mocks.
Additionally, delete the `ForwardOnlyStream.ReadByte` implementation
as the implementation on the base Stream is sufficient.
Tests fail in Visual Studio because they try to reuse the same scratch
working space, and each test is responsible for resetting the space. To
simplify the test code:
1. Make `TestBase` `IDisposable` and have it create the scratch space
2. Remove `ResetScratch()` as it is now handled by the base class
3. Add a unique ID to each scrach space folder to prevent collisions
This PR is meant to fix an arbitrary file write vulnerability, that can be
achieved using a specially crafted zip archive, that holds path traversal
filenames. When the filename gets concatenated to the target extraction
directory, the final path ends up outside of the target folder.
A sample malicious zip file named Zip.Evil.zip was used,
and when running the code below, resulted in the creation of C:/Temp/evil.txt
outside of the intended target directory.
There are various possible ways to avoid this issue, some include checking
for .. (dot dot) characters in the filename, but the best solution in our
opinion is to check if the final target filename, starts with the target
folder (after both are resolved to their absolute path).
Stay secure,
Snyk Team
* Add netstandard 2.0 target and netcoreapp2.0 tests
* Update xunit
* set tests explicitly to netcore2
* update travis
* Don't say build as netcoreapp1.0
* try adding dotnet 1 too
* Remove .NET Core 1 support
* switch to circle
* update cake
* fix circle build
* try fix file ending test again
* Fix casing on files
* Another casing fix
* Add back netstandard1.0
* Finish adding netstandard 1.0 back
* Add netstandard1.3 back
* Zip64 introduced seekable behavior into ZipWriter. The position may not be zero.
* Remove some dead code
* Update formats for zip64
* Make version created by and version needed to extract the same
* Running tests is faster than skipping
