The plugin cannot handle relative paths in container tar files in some cases

[mladkau]

• node -v: v12.17.0
• npm -v: 6.14.4
• snyk -v: 1.320.1

Expected behaviour

The plugin can handle relative paths in different variants in a container tar file or produces an appropriate error message if input is unsupported. Please add documentation if the accepted input needs to meet special requirements which are not stated explicitly in the official spec(s): https://github.com/moby/moby/blob/master/image/spec/v1.md

Actual behaviour

Some form of relative paths are not handled correctly and produce an unexpected exception.

Steps to reproduce

• Unpack the fixture archive: test/fixture/docker-archives/docker-save/nginx.tar into a subdirectory.
• Repack the image in the subdirectory with: tar cf ../nginx.tar .
• Run test/system/static.test.ts -> The test FAILS
• Repack the image in the subdirectory with: tar cf ../nginx.tar *
• Run test/system/static.test.ts -> The test PASSES

When the test fails the code produces an unexpected exception:

 FAIL  test/system/static.test.ts
 ✖ Cannot read property 'Layers' of undefined

    tarExtractor.on("entry", async (header, stream, next) => {
      if (header.type === "file") {
----------------------------------^
        if (isTarFile(header.name)) {
          layers[header.name] = await extractImageLayer(stream, extractActions);

  test: static analysis builds the expected response
  stack: |
    getLayersContentAndArchiveManifest (lib/extractor/layer.ts:32:35)
    Extract.<anonymous> (lib/extractor/layer.ts:6:50)
    finishMaybe (node_modules/readable-stream/lib/_stream_writable.js:624:14)
    node_modules/readable-stream/lib/_stream_writable.js:599:5
    Extract._final (node_modules/tar-stream/extract.js:254:3)
    callFinal (node_modules/readable-stream/lib/_stream_writable.js:590:10)
  at:
    line: 32
    column: 35
    file: lib/extractor/layer.ts
    function: getLayersContentAndArchiveManifest
  type: TypeError
  tapCaught: uncaughtException

The reason for the unexpected exception is that paths are used for computation in a not normalized form.

Header is stored in a Map
https://github.com/snyk/snyk-docker-plugin/blob/master/lib/extractor/layer.ts#L34

Layer are filtered from paths mentioned in manifest.json:
https://github.com/snyk/snyk-docker-plugin/blob/master/lib/extractor/layer.ts#L127

If the paths defined in manifest.json are not exactly like the paths in the .tar archive (check with tar -tf nginx.tar) then the plugin produces an exception.

Solution:

Please normalize paths before using them for any computation. (See: https://nodejs.org/api/path.html#path_path_normalize_path).

[mladkau]

Relevant slack discussion: https://snyk.slack.com/archives/CGSNWAE76/p1590147147160200

[karniwl]

@shaimendel @snyk/runtime can we get a response from you on this issue?

[ivanstanev]

I think with our recent fix to run on Windows we normalized all paths referenced in the plugin so this is probably not an issue any more.

[ivanstanev]

@mladkau I'm pretty sure this is resolved now!