mirror of
https://github.com/anchore/syft
synced 2024-11-10 06:14:16 +00:00
38c4b17847
* add support for searching jars within archives Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package cataloger config options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments + factor out safeCopy helper Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update config docs regarding package archive search options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show that unindexed archive cataloging defaults to false Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove lies about -s Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update search archive note about java Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
19 lines
520 B
Go
19 lines
520 B
Go
package file
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
)
|
|
|
|
const perFileReadLimit = 2 * GB
|
|
|
|
// safeCopy limits the copy from the reader. This is useful when extracting files from archives to
|
|
// protect against decompression bomb attacks.
|
|
func safeCopy(writer io.Writer, reader io.Reader) error {
|
|
numBytes, err := io.Copy(writer, io.LimitReader(reader, perFileReadLimit))
|
|
if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
|
|
return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
|
|
}
|
|
return nil
|
|
}
|