pkg/archive: RebaseArchiveEntries(): ignore G110

pkg/archive/copy.go:357:16: G110: Potential DoS vulnerability via decompression bomb (gosec) if _, err = io.Copy(rebasedTar, srcTar); err != nil { ^ Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433 and https://cure53.de/pentest-report_opa.pdf, which recommends to replace io.Copy with io.CopyN7. The latter allows to specify the maximum number of bytes that should be read. By properly defining the limit, it can be assured that a GZip compression bomb cannot easily cause a Denial-of-Service. After reviewing, this should not affect us, because here we do not read into memory. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 7b071e0557) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-16 22:29:06 +02:00 · 2021-04-16 22:29:06 +02:00 · 2de90ebbe4
parent 14b475d091
commit 2de90ebbe4
1 changed files with 10 additions and 0 deletions
--- a/pkg/archive/copy.go
+++ b/pkg/archive/copy.go
@ -354,6 +354,16 @@ func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.Read
 				return
 			}

+			// Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433
+			// and https://cure53.de/pentest-report_opa.pdf, which recommends to
+			// replace io.Copy with io.CopyN7. The latter allows to specify the
+			// maximum number of bytes that should be read. By properly defining
+			// the limit, it can be assured that a GZip compression bomb cannot
+			// easily cause a Denial-of-Service.
+			// After reviewing with @tonistiigi and @cpuguy83, this should not
+			// affect us, because here we do not read into memory, hence should
+			// not be vulnerable to this code consuming memory.
+			//nolint:gosec // G110: Potential DoS vulnerability via decompression bomb (gosec)
 			if _, err = io.Copy(rebasedTar, srcTar); err != nil {
 				w.CloseWithError(err)
 				return