mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
pkg/archive: RebaseArchiveEntries(): ignore G110
pkg/archive/copy.go:357:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
if _, err = io.Copy(rebasedTar, srcTar); err != nil {
^
Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433
and https://cure53.de/pentest-report_opa.pdf, which recommends to
replace io.Copy with io.CopyN7. The latter allows to specify the
maximum number of bytes that should be read. By properly defining
the limit, it can be assured that a GZip compression bomb cannot
easily cause a Denial-of-Service.
After reviewing, this should not affect us, because here we do not
read into memory.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7b071e0557
)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
14b475d091
commit
2de90ebbe4
1 changed files with 10 additions and 0 deletions
|
@ -354,6 +354,16 @@ func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.Read
|
|||
return
|
||||
}
|
||||
|
||||
// Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433
|
||||
// and https://cure53.de/pentest-report_opa.pdf, which recommends to
|
||||
// replace io.Copy with io.CopyN7. The latter allows to specify the
|
||||
// maximum number of bytes that should be read. By properly defining
|
||||
// the limit, it can be assured that a GZip compression bomb cannot
|
||||
// easily cause a Denial-of-Service.
|
||||
// After reviewing with @tonistiigi and @cpuguy83, this should not
|
||||
// affect us, because here we do not read into memory, hence should
|
||||
// not be vulnerable to this code consuming memory.
|
||||
//nolint:gosec // G110: Potential DoS vulnerability via decompression bomb (gosec)
|
||||
if _, err = io.Copy(rebasedTar, srcTar); err != nil {
|
||||
w.CloseWithError(err)
|
||||
return
|
||||
|
|
Loading…
Reference in a new issue