From 86f0343bcc395bdbc4f3a569d54e6df317635faa Mon Sep 17 00:00:00 2001
From: Ryan Moran <rmoran@vmware.com>
Date: Wed, 23 Feb 2022 10:48:45 -0800
Subject: [PATCH 1/2] Fixes error interpolation case where err is nil

---
 postal/service.go      | 3 ++-
 postal/service_test.go | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/postal/service.go b/postal/service.go
index 33d93333..d265866c 100644
--- a/postal/service.go
+++ b/postal/service.go
@@ -1,6 +1,7 @@
 package postal
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"path/filepath"
@@ -179,7 +180,7 @@ func (s Service) Deliver(dependency Dependency, cnbPath, layerPath, platformPath
 	}
 
 	if !ok {
-		return fmt.Errorf("checksum does not match: %s", err)
+		return errors.New("failed to validate dependency: checksum does not match")
 	}
 
 	return nil
diff --git a/postal/service_test.go b/postal/service_test.go
index 03b1a24f..145c1c78 100644
--- a/postal/service_test.go
+++ b/postal/service_test.go
@@ -616,7 +616,7 @@ version = "this is super not semver"
 						"",
 					)
 
-					Expect(err).To(MatchError(ContainSubstring("checksum does not match")))
+					Expect(err).To(MatchError("validation error: checksum does not match"))
 				})
 			})
 

From 67fd6cd10c4bca18e80ba1b29958c47e26b33618 Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <feckhardt@pivotal.io>
Date: Wed, 23 Feb 2022 21:32:59 +0000
Subject: [PATCH 2/2] Adds failure case where there is additional data on the
 tar file

---
 postal/service_test.go | 76 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 68 insertions(+), 8 deletions(-)

diff --git a/postal/service_test.go b/postal/service_test.go
index 145c1c78..f38a85ef 100644
--- a/postal/service_test.go
+++ b/postal/service_test.go
@@ -572,6 +572,17 @@ version = "this is super not semver"
 		})
 
 		context("failure cases", func() {
+			context("when dependency mapping resolver fails", func() {
+				it.Before(func() {
+					mappingResolver.FindDependencyMappingCall.Returns.Error = fmt.Errorf("some dependency mapping error")
+				})
+				it("fails to find dependency mappings", func() {
+					err := deliver()
+
+					Expect(err).To(MatchError(ContainSubstring("some dependency mapping error")))
+				})
+			})
+
 			context("when the transport cannot fetch a dependency", func() {
 				it.Before(func() {
 					transport.DropCall.Returns.Error = errors.New("there was an error")
@@ -684,15 +695,64 @@ version = "this is super not semver"
 					Expect(err).To(MatchError(ContainSubstring("failed to extract symlink")))
 				})
 			})
-		})
-		context("when dependency mapping resolver fails", func() {
-			it.Before(func() {
-				mappingResolver.FindDependencyMappingCall.Returns.Error = fmt.Errorf("some dependency mapping error")
-			})
-			it("fails to find dependency mappings", func() {
-				err := deliver()
 
-				Expect(err).To(MatchError(ContainSubstring("some dependency mapping error")))
+			context("when the has additional data in the byte stream", func() {
+				it.Before(func() {
+					var err error
+					layerPath, err = os.MkdirTemp("", "path")
+					Expect(err).NotTo(HaveOccurred())
+
+					buffer := bytes.NewBuffer(nil)
+					tw := tar.NewWriter(buffer)
+
+					file := "some-file"
+					Expect(tw.WriteHeader(&tar.Header{Name: file, Mode: 0755, Size: int64(len(file))})).To(Succeed())
+					_, err = tw.Write([]byte(file))
+					Expect(err).NotTo(HaveOccurred())
+
+					Expect(tw.Close()).To(Succeed())
+
+					sum := sha256.Sum256(buffer.Bytes())
+					dependencySHA = hex.EncodeToString(sum[:])
+
+					// Empty block is tricking tar reader into think that we have reached
+					// EOF becuase we have surpassed the maximum block header size
+					var block [1024]byte
+					_, err = buffer.Write(block[:])
+					Expect(err).NotTo(HaveOccurred())
+
+					_, err = buffer.WriteString("additional data")
+					Expect(err).NotTo(HaveOccurred())
+
+					transport.DropCall.Returns.ReadCloser = io.NopCloser(buffer)
+
+					deliver = func() error {
+						return service.Deliver(
+							postal.Dependency{
+								ID:      "some-entry",
+								Stacks:  []string{"some-stack"},
+								URI:     "https://dependencies.example.com/dependencies/some-file-name.txt",
+								SHA256:  dependencySHA,
+								Version: "1.2.3",
+							},
+							"some-cnb-path",
+							layerPath,
+							"some-platform-dir",
+						)
+					}
+				})
+
+				it.After(func() {
+					Expect(os.RemoveAll(layerPath)).To(Succeed())
+				})
+
+				it("returns an error", func() {
+					err := deliver()
+					Expect(err).To(MatchError("failed to validate dependency: checksum does not match"))
+
+					Expect(transport.DropCall.Receives.Root).To(Equal("some-cnb-path"))
+					Expect(transport.DropCall.Receives.Uri).To(Equal("https://dependencies.example.com/dependencies/some-file-name.txt"))
+				})
 			})
 		})
 	})