search

anchore / stereoscope

go library for processing container images and simulating a squash filesystem
Apache License 2.0
78 stars 43 forks source link

Fix tar path traversal issue #214

Closed wagoodman closed 7 months ago

wagoodman commented 7 months ago

This modifies the UntarToDirectory such that if the target for a file is outside of the unarchive destination then an error is returned. This patches https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv .

github-actions[bot] commented 7 months ago

Benchmark Test Results

Benchmark results from the latest changes vs base branch ``` latest: Pulling from library/ubuntu tar: Option --mtime: Treating date 'UTC 2019-09-16' as 2019-09-16 00:00:00 goos: linux goarch: amd64 pkg: github.com/anchore/stereoscope/pkg/file cpu: AMD EPYC 7763 64-Core Processor ctr: │ ./.tmp/benchmark-55339bf.txt │ │ sec/op │ TarIndex-2 35.07µ ± ∞ ¹ ¹ need >= 6 samples for confidence interval at level 0.95 │ ./.tmp/benchmark-55339bf.txt │ │ B/op │ TarIndex-2 5.560Ki ± ∞ ¹ ¹ need >= 6 samples for confidence interval at level 0.95 │ ./.tmp/benchmark-55339bf.txt │ │ allocs/op │ TarIndex-2 93.00 ± ∞ ¹ ¹ need >= 6 samples for confidence interval at level 0.95 pkg: github.com/anchore/stereoscope/test/integration │ ./.tmp/benchmark-55339bf.txt │ │ sec/op │ SimpleImage_GetImage/docker-archive-2 1.213m ± ∞ ¹ SimpleImage_GetImage/podman-2 17.50m ± ∞ ¹ geomean 4.608m ¹ need >= 6 samples for confidence interval at level 0.95 │ ./.tmp/benchmark-55339bf.txt │ │ B/op │ SimpleImage_GetImage/docker-archive-2 324.7Ki ± ∞ ¹ SimpleImage_GetImage/podman-2 435.1Ki ± ∞ ¹ geomean 375.9Ki ¹ need >= 6 samples for confidence interval at level 0.95 │ ./.tmp/benchmark-55339bf.txt │ │ allocs/op │ SimpleImage_GetImage/docker-archive-2 2.646k ± ∞ ¹ SimpleImage_GetImage/podman-2 2.755k ± ∞ ¹ geomean 2.700k ¹ need >= 6 samples for confidence interval at level 0.95 ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied" │ ./.tmp/benchmark-55339bf.txt │ │ sec/op │ SimpleImage_FetchSquashedContents/docker-archive-2 18.02µ ± ∞ ¹ SimpleImage_FetchSquashedContents/podman-2 18.07µ ± ∞ ¹ geomean 18.05µ ¹ need >= 6 samples for confidence interval at level 0.95 │ ./.tmp/benchmark-55339bf.txt │ │ B/op │ SimpleImage_FetchSquashedContents/docker-archive-2 2.648Ki ± ∞ ¹ SimpleImage_FetchSquashedContents/podman-2 2.648Ki ± ∞ ¹ geomean 2.648Ki ¹ need >= 6 samples for confidence interval at level 0.95 │ ./.tmp/benchmark-55339bf.txt │ │ allocs/op │ SimpleImage_FetchSquashedContents/docker-archive-2 21.00 ± ∞ ¹ SimpleImage_FetchSquashedContents/podman-2 21.00 ± ∞ ¹ geomean 21.00 ¹ need >= 6 samples for confidence interval at level 0.95 ```