From 2de90ebbe4a982a3ca82f73ba573aedc9f82177d Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 16 Apr 2021 22:29:06 +0200 Subject: [PATCH] pkg/archive: RebaseArchiveEntries(): ignore G110 pkg/archive/copy.go:357:16: G110: Potential DoS vulnerability via decompression bomb (gosec) if _, err = io.Copy(rebasedTar, srcTar); err != nil { ^ Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433 and https://cure53.de/pentest-report_opa.pdf, which recommends to replace io.Copy with io.CopyN7. The latter allows to specify the maximum number of bytes that should be read. By properly defining the limit, it can be assured that a GZip compression bomb cannot easily cause a Denial-of-Service. After reviewing, this should not affect us, because here we do not read into memory. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 7b071e055716028dc8f45842105cd6ce0ff7db1e) Signed-off-by: Sebastiaan van Stijn --- pkg/archive/copy.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/archive/copy.go b/pkg/archive/copy.go index 57fddac078..4b9f504d7d 100644 --- a/pkg/archive/copy.go +++ b/pkg/archive/copy.go @@ -354,6 +354,16 @@ func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.Read return } + // Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433 + // and https://cure53.de/pentest-report_opa.pdf, which recommends to + // replace io.Copy with io.CopyN7. The latter allows to specify the + // maximum number of bytes that should be read. By properly defining + // the limit, it can be assured that a GZip compression bomb cannot + // easily cause a Denial-of-Service. + // After reviewing with @tonistiigi and @cpuguy83, this should not + // affect us, because here we do not read into memory, hence should + // not be vulnerable to this code consuming memory. + //nolint:gosec // G110: Potential DoS vulnerability via decompression bomb (gosec) if _, err = io.Copy(rebasedTar, srcTar); err != nil { w.CloseWithError(err) return