feat: allow configuring tar file extraction max size (#314)

Signed-off-by: 2rigor <[email protected]>
anchore · Oct 31, 2024 · 2ce1e52 · 2ce1e52
1 parent 9c92fe3
commit 2ce1e52
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/pkg/file/tarutil.go b/pkg/file/tarutil.go
@@ -14,7 +14,7 @@ import (
 	"github.com/anchore/stereoscope/internal/log"
 )
 
-const perFileReadLimit = 2 * GB
+var perFileReadLimit int64 = 2 * GB
 
 var ErrTarStopIteration = fmt.Errorf("halt iterating tar")
 
@@ -39,6 +39,12 @@ type ErrFileNotFound struct {
 	Path string
 }
 
+func SetPerFileReadLimit(maxBytes int64) {
+	if maxBytes > 0 {
+		perFileReadLimit = maxBytes
+	}
+}
+
 func (e *ErrFileNotFound) Error() string {
 	return fmt.Sprintf("file not found (path=%s)", e.Path)
 }
@@ -178,7 +184,7 @@ func (v tarVisitor) visit(entry TarFileEntry) error {
 		// limit the reader on each file read to prevent decompression bomb attacks
 		numBytes, err := io.Copy(f, io.LimitReader(entry.Reader, perFileReadLimit))
 		if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
-			return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
+			return fmt.Errorf("zip read limit hit (potential decompression bomb attack): copied %v, limit %v", numBytes, perFileReadLimit)
 		}
 		if err != nil {
 			return fmt.Errorf("unable to copy file: %w", err)