From 2ce1e520983b1c21d5150d7fae2b39e8e5ab9063 Mon Sep 17 00:00:00 2001
From: 2rigor <39034718+2rigor@users.noreply.github.com>
Date: Thu, 31 Oct 2024 20:06:43 +0200
Subject: [PATCH] feat: allow configuring tar file extraction max size (#314)

Signed-off-by: 2rigor <39034718+2rigor@users.noreply.github.com>
---
 pkg/file/tarutil.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/pkg/file/tarutil.go b/pkg/file/tarutil.go
index 3e1435c3..32b7929b 100644
--- a/pkg/file/tarutil.go
+++ b/pkg/file/tarutil.go
@@ -14,7 +14,7 @@ import (
 	"github.com/anchore/stereoscope/internal/log"
 )
 
-const perFileReadLimit = 2 * GB
+var perFileReadLimit int64 = 2 * GB
 
 var ErrTarStopIteration = fmt.Errorf("halt iterating tar")
 
@@ -39,6 +39,12 @@ type ErrFileNotFound struct {
 	Path string
 }
 
+func SetPerFileReadLimit(maxBytes int64) {
+	if maxBytes > 0 {
+		perFileReadLimit = maxBytes
+	}
+}
+
 func (e *ErrFileNotFound) Error() string {
 	return fmt.Sprintf("file not found (path=%s)", e.Path)
 }
@@ -178,7 +184,7 @@ func (v tarVisitor) visit(entry TarFileEntry) error {
 		// limit the reader on each file read to prevent decompression bomb attacks
 		numBytes, err := io.Copy(f, io.LimitReader(entry.Reader, perFileReadLimit))
 		if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
-			return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
+			return fmt.Errorf("zip read limit hit (potential decompression bomb attack): copied %v, limit %v", numBytes, perFileReadLimit)
 		}
 		if err != nil {
 			return fmt.Errorf("unable to copy file: %w", err)