From e1f89c57d065f5cdad35832ae27005d763a7a525 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Tue, 23 Jan 2024 11:24:28 -0800 Subject: [PATCH] Add CodeQL suppression for tar extraction code CodeQL is generating a warning for tar extraction code suggesting that the tar file entries are used in an unsanitized way and that could lead to file system traversal attacks. However, during tar extraction all the files are written to the disk using the `internal/safefile` package which ensures all the filesystem operations during layer extraction happen under the layer root directory. So this warning can be safely suppressed. Signed-off-by: Amit Barve --- pkg/ociwclayer/import.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/ociwclayer/import.go b/pkg/ociwclayer/import.go index 5f69d199b8..4ebfbbc2f7 100644 --- a/pkg/ociwclayer/import.go +++ b/pkg/ociwclayer/import.go @@ -61,6 +61,8 @@ func ImportLayerFromTar(ctx context.Context, r io.Reader, path string, parentLay func writeLayerFromTar(ctx context.Context, r io.Reader, w wclayer.LayerWriter, root string) (int64, error) { t := tar.NewReader(r) + // CodeQL [SM03409] False positive, `internal/safefile` package ensures tar extractions are always + // bound to the layer root directory. hdr, err := t.Next() totalSize := int64(0) buf := bufio.NewWriter(nil) @@ -78,12 +80,16 @@ func writeLayerFromTar(ctx context.Context, r io.Reader, w wclayer.LayerWriter, if err != nil { return 0, err } + // CodeQL [SM03409] False positive, `internal/safefile` package ensures tar extractions are always + // bound to the layer root directory. hdr, err = t.Next() } else if hdr.Typeflag == tar.TypeLink { err = w.AddLink(filepath.FromSlash(hdr.Name), filepath.FromSlash(hdr.Linkname)) if err != nil { return 0, err } + // CodeQL [SM03409] False positive, `internal/safefile` package ensures tar extractions are always + // bound to the layer root directory. hdr, err = t.Next() } else { var (