Add shared safe extract utils, tests, env scripts, and CI workflow

- utils_safe_extract.py for safe tar/zip extraction
- Refactor GUIs to use shared utils
- tests/: pytest for safe extract and command builder
- requirements: add pytest
- .github/workflows/ci.yml: run pytest and enforce 98MB file size cap
- .envrc.example and .python-version for direnv/pyenv

Author: mauriciomenon

.envrc.example

@@ -0,0 +1,10 @@
+# direnv example for ffmpeg-gui-pyqt6
+
+# Use pyenv local version if present
+use python
+
+# Create venv if missing and activate
+layout python
+
+# Optional: set Qt environment tweaks
+# export QT_LOGGING_RULES="*.debug=false;qt.qpa.*=false"

.github/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: CI
+
+on:
+  push:
+    branches: [ master, fix/**, feature/** ]
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -r requirements.txt
+          python -m pip install pytest
+      - name: Enforce max file size
+        run: |
+          # Fail if any repo file exceeds 98MB (102,760,448 bytes)
+          max=102760448
+          while IFS= read -r -d '' f; do
+            sz=$(stat -c%s "$f")
+            if [ "$sz" -ge "$max" ]; then
+              echo "File too large: $f ($sz bytes)"
+              exit 1
+            fi
+          done < <(git ls-files -z)
+      - name: Run tests
+        env:
+          QT_QPA_PLATFORM: offscreen
+        run: |
+          pytest -q

.python-version

@@ -0,0 +1 @@
+3.11.9

GUI_pyqt6_WINFF.py

@@ -14,6 +14,7 @@
 import tarfile
 from io import BytesIO
 from functools import partial
+from utils_safe_extract import safe_tar_extract, safe_zip_extract
 
 from PyQt6 import QtWidgets, QtCore
 from PyQt6.QtWidgets import QApplication, QWidget, QLabel, QLineEdit, QPushButton, QTextEdit, QComboBox, QFileDialog, QCheckBox, QHBoxLayout, QVBoxLayout, QProgressDialog
@@ -454,7 +455,7 @@ def _extract_ffmpeg_zip(self, zip_bytes):
         base_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), 'bin'))
         os.makedirs(base_dir, exist_ok=True)
         with zipfile.ZipFile(BytesIO(zip_bytes)) as zf:
-            self._safe_zip_extract(zf, base_dir)
+            safe_zip_extract(zf, base_dir)
         # try to find ffmpeg(.exe)
         ffmpeg_path = None
         for root, dirs, files in os.walk(base_dir):
@@ -498,7 +499,7 @@ def worker():
                         base_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), 'bin'))
                         os.makedirs(base_dir, exist_ok=True)
                         with tarfile.open(fileobj=BytesIO(content), mode='r:xz') as tf:
-                            self._safe_tar_extract(tf, base_dir)
+                            safe_tar_extract(tf, base_dir)
                         # procurar binário
                         ffmpeg_path = None
                         for root, dirs, files in os.walk(base_dir):
@@ -561,36 +562,7 @@ def show_info_msg(self, msg):
     def show_error_msg(self, msg):
         QtWidgets.QMessageBox.critical(self, 'Erro', msg)
 
-    # ---- security helpers ----
-    def _safe_tar_extract(self, tf: tarfile.TarFile, base_dir: str):
-        base = os.path.realpath(base_dir)
-        for member in tf.getmembers():
-            member_path = os.path.realpath(os.path.join(base, member.name))
-            if not member_path.startswith(base + os.sep) and member_path != base:
-                raise RuntimeError(f"Entrada insegura no tar: {member.name}")
-        tf.extractall(base)
-
-    def _safe_zip_extract(self, zf: zipfile.ZipFile, base_dir: str):
-        base = os.path.realpath(base_dir)
-        for zi in zf.infolist():
-            name = zi.filename
-            # reject absolute paths or drive letters
-            if os.path.isabs(name) or (
-                len(name) > 1 and name[1] == ':'
-            ):
-                raise RuntimeError(f"Entrada insegura no zip (absoluta): {name}")
-            dest = os.path.realpath(os.path.join(base, name))
-            if not dest.startswith(base + os.sep) and dest != base:
-                raise RuntimeError(f"Entrada insegura no zip: {name}")
-        # after validation, extract members
-        for zi in zf.infolist():
-            dest = os.path.realpath(os.path.join(base, zi.filename))
-            if zi.is_dir() or zi.filename.endswith('/'):
-                os.makedirs(dest, exist_ok=True)
-                continue
-            os.makedirs(os.path.dirname(dest), exist_ok=True)
-            with zf.open(zi, 'r') as src, open(dest, 'wb') as out:
-                out.write(src.read())
+    # ---- security helpers moved to utils_safe_extract ----
 
 if __name__ == '__main__':
     app = QApplication(sys.argv)

GUI_tkinter_WINFF.py

@@ -16,6 +16,7 @@
 import tarfile
 import tkinter as tk
 from tkinter import ttk, filedialog, messagebox
+from utils_safe_extract import safe_tar_extract, safe_zip_extract
 
 import importlib
 try:
@@ -406,7 +407,7 @@ def _extract_ffmpeg_zip(self, zip_bytes: bytes) -> str | None:
 		base_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), 'bin'))
 		os.makedirs(base_dir, exist_ok=True)
 		with zipfile.ZipFile(BytesIO(zip_bytes)) as zf:
-			self._safe_zip_extract(zf, base_dir)
+			safe_zip_extract(zf, base_dir)
 		for root, _dirs, files in os.walk(base_dir):
 			for f in files:
 				if f.lower() == ('ffmpeg.exe' if os.name == 'nt' else 'ffmpeg'):
@@ -447,7 +448,7 @@ def worker():
 					base_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), 'bin'))
 					os.makedirs(base_dir, exist_ok=True)
 					with tarfile.open(fileobj=BytesIO(content), mode='r:xz') as tf:
-						self._safe_tar_extract(tf, base_dir)
+						safe_tar_extract(tf, base_dir)
 					ffpath = None
 					for root, _d, files in os.walk(base_dir):
 						for f in files:
@@ -484,33 +485,7 @@ def poll():
 		threading.Thread(target=worker, daemon=True).start()
 		self.after(200, poll)
 
-	def _safe_tar_extract(self, tf: tarfile.TarFile, base_dir: str):
-		base = os.path.realpath(base_dir)
-		for member in tf.getmembers():
-			member_path = os.path.realpath(os.path.join(base, member.name))
-			if not member_path.startswith(base + os.sep) and member_path != base:
-				raise RuntimeError(f"Entrada insegura no tar: {member.name}")
-		tf.extractall(base)
-
-	def _safe_zip_extract(self, zf: zipfile.ZipFile, base_dir: str):
-		base = os.path.realpath(base_dir)
-		for zi in zf.infolist():
-			name = zi.filename
-			# reject absolute paths or drive letters on Windows
-			if os.path.isabs(name) or (len(name) > 1 and name[1] == ':'):
-				raise RuntimeError(f"Entrada insegura no zip (absoluta): {name}")
-			dest = os.path.realpath(os.path.join(base, name))
-			if not dest.startswith(base + os.sep) and dest != base:
-				raise RuntimeError(f"Entrada insegura no zip: {name}")
-		# after validation, extract members
-		for zi in zf.infolist():
-			dest = os.path.realpath(os.path.join(base, zi.filename))
-			if zi.is_dir() or zi.filename.endswith('/'):
-				os.makedirs(dest, exist_ok=True)
-				continue
-			os.makedirs(os.path.dirname(dest), exist_ok=True)
-			with zf.open(zi, 'r') as src, open(dest, 'wb') as out:
-				out.write(src.read())
+	# safe extract helpers moved to utils_safe_extract
 
 	def install_ffmpeg_via_winget(self):
 		if platform.system() != 'Windows':

requirements.txt

@@ -1,2 +1,3 @@
 PyQt6>=6.4.0
 ffmpeg-python>=0.2.0
+pytest>=8.2.0

tests/test_command_build.py

@@ -0,0 +1,35 @@
+import os
+import shlex
+import types
+
+# We'll import the GUI modules and call their build_command_list through a minimal shim.
+
+
+def test_pyqt6_build_command_list_defaults(monkeypatch):
+    import GUI_pyqt6_WINFF as m
+
+    w = m.FFmpegGuiPyQt6()
+    # simulate basic defaults
+    w.input_edit.setText('/tmp/in.mp4')
+    w.same_dir_chk.setChecked(True)
+    w.set_default_options()
+
+    args = w.build_command_list()
+    assert args[0] == 'ffmpeg'
+    assert '-i' in args and '/tmp/in.mp4' in args
+    # ensure no -s when resolution is original
+    assert '-s' not in args
+
+
+def test_tkinter_build_command_list_defaults(monkeypatch):
+    import GUI_tkinter_WINFF as m
+
+    app = m.FFmpegGuiTk()
+    app.input_var.set('/tmp/in.mp4')
+    app.same_dir_var.set(True)
+    app.set_default_options()
+
+    args = app.build_command_list()
+    assert args[0] == 'ffmpeg'
+    assert '-i' in args and '/tmp/in.mp4' in args
+    assert '-s' not in args

tests/test_safe_extract.py

@@ -0,0 +1,49 @@
+import io
+import os
+import tarfile
+import zipfile
+import tempfile
+import pytest
+
+from utils_safe_extract import safe_tar_extract, safe_zip_extract
+
+
+def test_safe_tar_extract_blocks_traversal(tmp_path):
+    # create a tar with a member that tries to escape
+    data = io.BytesIO()
+    with tarfile.open(fileobj=data, mode='w:xz') as tf:
+        ti = tarfile.TarInfo(name='ok/file.txt')
+        payload = b'hello'
+        ti.size = len(payload)
+        tf.addfile(ti, io.BytesIO(payload))
+        bad = tarfile.TarInfo(name='../../evil.txt')
+        bad.size = len(payload)
+        tf.addfile(bad, io.BytesIO(payload))
+    data.seek(0)
+
+    with tarfile.open(fileobj=io.BytesIO(data.read()), mode='r:xz') as tf:
+        with pytest.raises(RuntimeError):
+            safe_tar_extract(tf, str(tmp_path))
+
+
+def test_safe_zip_extract_blocks_traversal(tmp_path):
+    # create a zip with a traversal
+    data = io.BytesIO()
+    with zipfile.ZipFile(data, mode='w') as z:
+        z.writestr('ok/file.txt', 'hello')
+        z.writestr('../../evil.txt', 'hello')
+    data.seek(0)
+
+    with zipfile.ZipFile(io.BytesIO(data.read()), mode='r') as z:
+        with pytest.raises(RuntimeError):
+            safe_zip_extract(z, str(tmp_path))
+
+
+def test_safe_zip_extract_ok(tmp_path):
+    data = io.BytesIO()
+    with zipfile.ZipFile(data, mode='w') as z:
+        z.writestr('dir/a.txt', 'x')
+    data.seek(0)
+    with zipfile.ZipFile(io.BytesIO(data.read()), mode='r') as z:
+        safe_zip_extract(z, str(tmp_path))
+    assert (tmp_path / 'dir' / 'a.txt').exists()

utils_safe_extract.py

@@ -0,0 +1,38 @@
+"""
+Safe extraction helpers for tar and zip archives to prevent path traversal.
+"""
+from __future__ import annotations
+
+import os
+import tarfile
+import zipfile
+
+
+def safe_tar_extract(tf: tarfile.TarFile, base_dir: str) -> None:
+    base = os.path.realpath(base_dir)
+    for member in tf.getmembers():
+        member_path = os.path.realpath(os.path.join(base, member.name))
+        if not member_path.startswith(base + os.sep) and member_path != base:
+            raise RuntimeError(f"Entrada insegura no tar: {member.name}")
+    tf.extractall(base)
+
+
+def safe_zip_extract(zf: zipfile.ZipFile, base_dir: str) -> None:
+    base = os.path.realpath(base_dir)
+    for zi in zf.infolist():
+        name = zi.filename
+        # reject absolute paths or Windows drive letters
+        if os.path.isabs(name) or (len(name) > 1 and name[1] == ':'):
+            raise RuntimeError(f"Entrada insegura no zip (absoluta): {name}")
+        dest = os.path.realpath(os.path.join(base, name))
+        if not dest.startswith(base + os.sep) and dest != base:
+            raise RuntimeError(f"Entrada insegura no zip: {name}")
+    # after validation, extract members
+    for zi in zf.infolist():
+        dest = os.path.realpath(os.path.join(base, zi.filename))
+        if zi.is_dir() or zi.filename.endswith('/'):
+            os.makedirs(dest, exist_ok=True)
+            continue
+        os.makedirs(os.path.dirname(dest), exist_ok=True)
+        with zf.open(zi, 'r') as src, open(dest, 'wb') as out:
+            out.write(src.read())