fix(security): cap bsdtar extraction size to prevent decompression bomb DoS [DEVA11Y-484] #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Regression tests for the DEVA11Y-484 decompression-bomb extraction guard. | |
| # Runs the real-process integration suite (curl/bsdtar/Swift watchdog) on every PR | |
| # that touches the download/extract path. macOS runner: it ships curl, bsdtar | |
| # (libarchive), python3, and the Swift toolchain. | |
| name: Extraction Guard Tests | |
| on: | |
| pull_request: | |
| branches: ["master", "main"] | |
| paths: | |
| - "Plugins/BrowserStackAccessibilityLint/**" | |
| - "scripts/bash/cli.sh" | |
| - "scripts/zsh/cli.sh" | |
| - "scripts/fish/cli.sh" | |
| - "scripts/test/**" | |
| - ".github/workflows/extraction-guard-tests.yml" | |
| push: | |
| branches: ["master", "main"] | |
| permissions: | |
| contents: read | |
| jobs: | |
| extraction-guard: | |
| name: extraction-guard / integration | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Show toolchain | |
| run: | | |
| swift --version | |
| bsdtar --version | |
| curl --version | head -1 | |
| python3 --version | |
| - name: Run DEVA11Y-484 extraction-guard regression suite | |
| run: bash scripts/test/run_tests.sh |