fix: use encryption instead of zip wrapper

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>

Author: JeyJeyGao

test/e2e/internal/utils/crypto.go

@@ -0,0 +1,54 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"fmt"
+	"os"
+)
+
+// DecryptFile decrypts the AES encrypted file using an AES key and outputs the
+// decrypted file.
+func DecryptFile(inputFilename string, aesKey []byte, outputFilename string) error {
+	ciphertext, err := os.ReadFile(inputFilename)
+	if err != nil {
+		return err
+	}
+
+	block, err := aes.NewCipher(aesKey)
+	if err != nil {
+		return err
+	}
+
+	aesGCM, err := cipher.NewGCM(block)
+	if err != nil {
+		return err
+	}
+
+	nonceSize := aesGCM.NonceSize()
+	if len(ciphertext) < nonceSize {
+		return fmt.Errorf("ciphertext too short")
+	}
+
+	nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
+
+	plaintext, err := aesGCM.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(outputFilename, plaintext, 0600)
+}

test/e2e/internal/utils/zip.go

@@ -126,4 +126,4 @@ export NOTATION_E2E_BLOB_TRUST_POLICY_PATH=$CWD/testdata/blob/trustpolicies
 export NOTATION_E2E_TEST_DATA_PATH=$CWD/testdata
 
 # run tests
-ginkgo -r -p -v
+ginkgo -r -p -v --focus "with zip bomb total file size exceeds 256 MiB size li"

test/e2e/run.sh

@@ -79,12 +79,13 @@ var _ = Describe("notation plugin install", func() {
 
 	It("with zip bomb total file size exceeds 256 MiB size limit", func() {
 		Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) {
-			// extract the test file from the wrapped file to avoid the issue of the zip bomb being
-			// identified as a malicious file by the antivirus software
-			wrappedFilePath := filepath.Join(NotationE2EMaliciousPluginArchivePath, "wrapped_zip_bomb.zip")
-			fileName := "zip_bomb.zip"
-			targetPath := vhost.AbsolutePath(NotationDirName, fileName)
-			if err := utils.ExtractSingleFileFromZip(wrappedFilePath, fileName, targetPath); err != nil {
+			// The original test file was encrypted to avoid being identified as
+			// a malicious file by antivirus software. Decrypt on the fly to
+			// avoid the issue.
+			aesKey := []byte("9951d6610db9e6327b4af77f057fb494")
+			encryptedFilePath := filepath.Join(NotationE2EMaliciousPluginArchivePath, "zip_bomb.zip.enc")
+			targetPath := vhost.AbsolutePath(NotationDirName, "zip_bomb.zip")
+			if err := utils.DecryptFile(encryptedFilePath, aesKey, targetPath); err != nil {
 				Fail(fmt.Sprintf("failed to extract file from zip: %v", err))
 			}