2de90ebbe4
pkg/archive/copy.go:357:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
if _, err = io.Copy(rebasedTar, srcTar); err != nil {
^
Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433
and https://cure53.de/pentest-report_opa.pdf, which recommends to
replace io.Copy with io.CopyN7. The latter allows to specify the
maximum number of bytes that should be read. By properly defining
the limit, it can be assured that a GZip compression bomb cannot
easily cause a Denial-of-Service.
After reviewing, this should not affect us, because here we do not
read into memory.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| aaparser | ||
| archive | ||
| authorization | ||
| broadcaster | ||
| capabilities | ||
| chrootarchive | ||
| containerfs | ||
| devicemapper | ||
| directory | ||
| discovery | ||
| dmesg | ||
| filenotify | ||
| fileutils | ||
| fsutils | ||
| homedir | ||
| idtools | ||
| ioutils | ||
| jsonmessage | ||
| locker | ||
| longpath | ||
| loopback | ||
| mount | ||
| namesgenerator | ||
| parsers | ||
| pidfile | ||
| platform | ||
| plugingetter | ||
| plugins | ||
| pools | ||
| progress | ||
| pubsub | ||
| reexec | ||
| signal | ||
| stdcopy | ||
| streamformatter | ||
| stringid | ||
| symlink | ||
| sysinfo | ||
| system | ||
| tailfile | ||
| tarsum | ||
| term | ||
| truncindex | ||
| urlutil | ||
| useragent | ||
| README.md | ||
pkg/ is a collection of utility packages used by the Moby project without being specific to its internals.
Utility packages are kept separate from the moby core codebase to keep it as small and concise as possible. If some utilities grow larger and their APIs stabilize, they may be moved to their own repository under the Moby organization, to facilitate re-use by other projects. However that is not the priority.
The directory pkg is named after the same directory in the camlistore project. Since Brad is a core
Go maintainer, we thought it made sense to copy his methods for organizing Go code :) Thanks Brad!
Because utility packages are small and neatly separated from the rest of the codebase, they are a good place to start for aspiring maintainers and contributors. Get in touch if you want to help maintain them!