ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 21:18:09 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Ignore errors extracting corrupted tarball (#812)

Browse Source 
Co-authored-by: Azeem Shaikh <azeems@google.com>
This commit is contained in:
Azeem Shaikh 2021-08-05 18:03:35 -07:00 committed by GitHub
parent d821ea27ec
commit f4d2628799
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
clients/githubrepo/tarball.go
View File

@ -39,8 +39,9 @@ const (
)
var (
errTarballNotFound = errors.New("tarball not found")
errZipSlip = errors.New("ZipSlip path detected")
errTarballNotFound = errors.New("tarball not found")
errTarballCorrupted = errors.New("corrupted tarball")
errZipSlip = errors.New("ZipSlip path detected")
)
func extractAndValidateArchivePath(path, dest string) (string, error) {
@ -76,7 +77,7 @@ func (handler *tarballHandler) init(ctx context.Context, repo *github.Repository
}
// Setup temp dir/files and download repo tarball.
if err := handler.getTarball(ctx, repo); errors.Is(err, errTarballNotFound) {
if err := handler.getTarball(ctx, repo); errors.As(err, &errTarballNotFound) {
log.Printf("unable to get tarball %v. Skipping...", err)
return nil
} else if err != nil {
@ -84,7 +85,12 @@ func (handler *tarballHandler) init(ctx context.Context, repo *github.Repository
}
// Extract file names and content from tarball.
return handler.extractTarball()
err := handler.extractTarball()
if errors.As(err, &errTarballCorrupted) {
log.Printf("unable to extract tarball %v. Skipping...", err)
return nil
}
return err
}
func (handler *tarballHandler) getTarball(ctx context.Context, repo *github.Repository) error {
@ -144,7 +150,7 @@ func (handler *tarballHandler) extractTarball() error {
gz, err := gzip.NewReader(in)
if err != nil {
//nolint:wrapcheck
return sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("gzip.NewReader: %v: %v", handler.tempTarFile, err))
return sce.CreateInternal(errTarballCorrupted, fmt.Sprintf("gzip.NewReader: %v: %v", handler.tempTarFile, err))
}
tr := tar.NewReader(gz)
for {
@ -154,7 +160,7 @@ func (handler *tarballHandler) extractTarball() error {
}
if err != nil {
//nolint:wrapcheck
return sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("tarReader.Next: %v", err))
return sce.CreateInternal(errTarballCorrupted, fmt.Sprintf("tarReader.Next: %v", err))
}
switch header.Typeflag {
@ -196,8 +202,8 @@ func (handler *tarballHandler) extractTarball() error {
// Potential for DoS vulnerability via decompression bomb.
// Since such an attack will only impact a single shard, ignoring this for now.
if _, err := io.Copy(outFile, tr); err != nil {
//nolint:wrapcheck
return sce.Create(sce.ErrScorecardInternal, fmt.Sprintf("io.Copy: %v", err))
// nolint: wrapcheck
return sce.CreateInternal(errTarballCorrupted, fmt.Sprintf("io.Copy: %v", err))
}
outFile.Close()
handler.files = append(handler.files,