syft/internal/file/copy.go

package file

import (
	"errors"
	"fmt"
	"io"
)

const perFileReadLimit = 2 * GB

// safeCopy limits the copy from the reader. This is useful when extracting files from archives to
// protect against decompression bomb attacks.
func safeCopy(writer io.Writer, reader io.Reader) error {
	numBytes, err := io.Copy(writer, io.LimitReader(reader, perFileReadLimit))
	if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
		return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
	}
	return nil
}
Add support for searching for jars within archives (#734) * add support for searching jars within archives Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package cataloger config options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments + factor out safeCopy helper Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update config docs regarding package archive search options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show that unindexed archive cataloging defaults to false Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove lies about -s Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update search archive note about java Signed-off-by: Alex Goodman <alex.goodman@anchore.com> 2022-01-06 21:40:51 +00:00			`package file`

			`import (`
			`"errors"`
			`"fmt"`
			`"io"`
			`)`

			`const perFileReadLimit = 2 * GB`

			`// safeCopy limits the copy from the reader. This is useful when extracting files from archives to`
			`// protect against decompression bomb attacks.`
			`func safeCopy(writer io.Writer, reader io.Reader) error {`
			`numBytes, err := io.Copy(writer, io.LimitReader(reader, perFileReadLimit))`
			`if numBytes >= perFileReadLimit \|\| errors.Is(err, io.EOF) {`
			`return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")`
			`}`
			`return nil`
			`}`