Fix test, prevent decompression bomb

internal/image/filemap.go

@@ -37,7 +37,8 @@ func (filemap *FileMap) OpenFile(path string) (fs.File, error) {
 
 func (filemap *FileMap) AllFiles() []FileNode {
 	allFiles := []FileNode{}
-	filemap.fileNodeTrie.Walk(func(key string, value interface{}) error {
+	// No need to check error since we are not returning any errors
+	_ = filemap.fileNodeTrie.Walk(func(key string, value interface{}) error {
 		allFiles = append(allFiles, value.(FileNode))
 		return nil
 	})

internal/image/image.go

@@ -19,6 +19,9 @@
 
 const whiteoutPrefix = ".wh."
 
+// 2 GB
+const fileReadLimit = 2 * 1 << (10 * 3)
+
 type ScanResults struct {
 	Lockfiles []lockfile.Lockfile
 	ImagePath string
@@ -127,7 +130,7 @@
 		tarReader := tar.NewReader(layerReader)
 
 		for {
 			header, err := tarReader.Next()
 			if errors.Is(err, io.EOF) {
 				break
 			}
@@ -136,14 +139,14 @@
 			}
 			// Some tools prepend everything with "./", so if we don't Clean the
 			// name, we may have duplicate entries, which angers tar-split.
-			header.Name = filepath.Clean(header.Name)
+			cleanedFileName := filepath.Clean(header.Name)
 			// force PAX format to remove Name/Linkname length limit of 100 characters
 			// required by USTAR and to not depend on internal tar package guess which
 			// prefers USTAR over PAX
 			header.Format = tar.FormatPAX
 
-			basename := filepath.Base(header.Name)
-			dirname := filepath.Dir(header.Name)
+			basename := filepath.Base(cleanedFileName)
+			dirname := filepath.Dir(cleanedFileName)
 			tombstone := strings.HasPrefix(basename, whiteoutPrefix)
 			if tombstone { // TODO: Handle Opaque Whiteouts
 				basename = basename[len(whiteoutPrefix):]
@@ -153,15 +156,15 @@
 			// if we're checking a directory, don't filepath.Join names
 			var virtualPath string
 			if header.Typeflag == tar.TypeDir {
-				virtualPath = "/" + header.Name
+				virtualPath = "/" + cleanedFileName
 			} else {
 				virtualPath = "/" + filepath.Join(dirname, basename)
 			}
 
 			// where the file will be written to disk
-			absoluteDiskPath := filepath.Join(dirPath, header.Name)
+			absoluteDiskPath := filepath.Join(dirPath, cleanedFileName)
 
-			var fileType FileType = RegularFile
+			var fileType FileType
 			// write out the file/dir to disk
 			switch header.Typeflag {
 			case tar.TypeDir:
@@ -177,9 +180,12 @@
 				if err != nil {
 					return Image{}, err
 				}
-
-				if _, err := io.Copy(f, tarReader); err != nil {
-					return Image{}, err
+				numBytes, err := io.Copy(f, io.LimitReader(tarReader, fileReadLimit))
+				if numBytes >= fileReadLimit || errors.Is(err, io.EOF) {
+					return Image{}, fmt.Errorf("file exceeds read limit (potential decompression bomb attack)")
+				}
+				if err != nil {
+					return Image{}, fmt.Errorf("unable to copy file: %w", err)
 				}
 				fileType = RegularFile
 				f.Close()
@@ -232,6 +238,7 @@
 		}
 		filePath = dirname
 	}
+
 	return false
 }
 

internal/sourceanalysis/__snapshots__/integration_test.snap

@@ -187,7 +187,7 @@
           "position": {
             "filename": "\u003cAny value\u003e",
             "offset": -1,
-            "line": 1675,
+            "line": 1674,
             "column": 17
           }
         },
@@ -200,7 +200,7 @@
           "position": {
             "filename": "\u003cAny value\u003e",
             "offset": -1,
-            "line": 2045,
+            "line": 2044,
             "column": 18
           }
         },
@@ -213,7 +213,7 @@
           "position": {
             "filename": "\u003cAny value\u003e",
             "offset": -1,
-            "line": 3285,
+            "line": 3286,
             "column": 3
           }
         },
@@ -226,7 +226,7 @@
           "position": {
             "filename": "\u003cAny value\u003e",
             "offset": -1,
-            "line": 3184,
+            "line": 3183,
             "column": 18
           }
         },
@@ -238,7 +238,7 @@
           "position": {
             "filename": "\u003cAny value\u003e",
             "offset": -1,
-            "line": 3438,
+            "line": 3441,
             "column": 30
           }
         },