Xceed .NET Libraries Documentation
Adding Item To Process Event

Welcome to Xceed .NET, .NET Standard and Xamarin Libraries! > Basic Concepts > Events > Adding Item To Process Event

The AddingItemToProcess event is raised when an item pair (current item and target item) is about to be added to a list of items to process.

Purpose

The AddingItemToProcess event allows an application to examine an item pair, replace it or exclude the pair from the list of items to be processed by a method.

The following methods can raise the AddingItemToProcess event: 

Method Description
FileSystemItem.CopyTo() Copies the item to another folder.
FileSystemItem.MoveTo() Moves the item to another folder.
FileSystemItem.Create() Creates the physical item.
FileSystemItem.Delete() Permanently deletes the physical item.
AbstractFolder.CopyFilesTo() Copies the folder's files to another folder.
AbstractFolder.MoveFilesTo() Moves the folder's files to another folder.
AbstractFolder.CopyItemsTo() Copies the folder's files and folders to another folder.
AbstractFolder.MoveItemsTo() Moves the folder's files and folders to another folder.

Demonstration

The AddingItemToProcess event can be used to filter out potentially dangerous zipped items whose names contain relative path elements (like ..\..\) that, during an unzip operation can create or overwrite files outside of the base destination folder.

public static void ZipSlip()
{
  AbstractFile zipFile = new DiskFile( "ZipSlip1.zip" );

  if( !zipFile.Exists )
    throw new InvalidProgramException( "The zip file must exist for this example to work correctly" );

  // Create a logical zip archive around the zip file
  ZipArchive zip = new ZipArchive( zipFile );

  // Create a FileSystemEvents object
  FileSystemEvents events = new FileSystemEvents();

  // Subscribe to the AddingItemToProcess event
  events.AddingItemToProcess += OnAddingItemToProcessExclude;

  // Setup a destination folder
  AbstractFolder destinationFolder = new DiskFolder( @"D:\ZipSlip\Output" );

  // User the destination folder as userData
  object userData = destinationFolder;

  // Unzip the contents of the archive
  zip.CopyFilesTo( events, userData, destinationFolder, true, true );
}

private static void OnAddingItemToProcessExclude( object sender, ItemProcessingEventArgs e )
{
  // Retrieve the destination folder from the user data
  AbstractFolder destinationFolder = ( AbstractFolder ) e.UserData;
  string destinationFullname = destinationFolder.FullName;

  FileSystemItem destinationItem = e.TargetItem;
  string targetPath = destinationItem.FullName;

  // If the target path does not start with the destination path
  if( !targetPath.StartsWith( destinationFullname ) )
  {
    /* The zipped item contains relative path modifiers that make the destination
       go outside the base destination path. In some controlled situations, that
       might be ok, but we chose not to allow it here. We will exclude this item. */

    e.Excluded = true;
  }
}
Public Shared Sub ZipSlip()
  Dim zipFile As AbstractFile = New DiskFile("ZipSlip1.zip")

  If (Not zipFile.Exists) Then
    Throw New InvalidProgramException("The zip file must exist for this example to work correctly")
  End If

  ' Create a logical zip archive around the zip file
  Dim zip As New ZipArchive(zipFile)

  ' Create a FileSystemEvents object
  Dim events As New FileSystemEvents()

  ' Subscribe to the AddingItemToProcess event
  AddHandler events.AddingItemToProcess, AddressOf OnAddingItemToProcessExclude

  ' Setup a destination folder
  Dim destinationFolder As AbstractFolder = New DiskFolder("D:\ZipSlip\Output")

  ' User the destination folder as userData
  Dim userData As Object = destinationFolder

  ' Unzip the contents of the archive
  zip.CopyFilesTo(events, userData, destinationFolder, True, True)
End Sub

Private Shared Sub OnAddingItemToProcessExclude(ByVal sender As Object, ByVal e As ItemProcessingEventArgs)
  ' Retrieve the destination folder from the user data
  Dim destinationFolder As AbstractFolder = CType(e.UserData, AbstractFolder)
  Dim destinationFullname As String = destinationFolder.FullName

  Dim destinationItem As FileSystemItem = e.TargetItem
  Dim targetPath As String = destinationItem.FullName

  ' If the target path does not start with the destination path
  If (Not targetPath.StartsWith(destinationFullname)) Then
    ' The zipped item contains relative path modifiers that make the destination
    ' go outside the base destination path. In some controlled situations, that
    ' might be ok, but we chose not to allow it here. We will exclude this item. 

    e.Excluded = True
  End If
End Sub

 

 

Copyright Xceed Software Inc

Send Feedback