fixing sec issues

pkg/tools/archive/archive.go

@@ -5,10 +5,17 @@ import (
 	"compress/gzip"
 	"fmt"
 	"io"
+	"log/slog"
 	"os"
 	"path/filepath"
 )
 
+const (
+	// Tune these to your app’s needs
+	maxCompressedUpload   = 500 << 20  // 500 MiB compressed
+	maxUncompressedOutput = 1000 << 20 // 100 MiB after inflate
+)
+
 func Untar(file io.Reader, path string) error {
 	gzr, err := gzip.NewReader(file)
 	if err != nil {
@@ -49,26 +56,35 @@ func Untar(file io.Reader, path string) error {
 		// if its a dir and it doesn't exist create it
 		case tar.TypeDir:
 			if _, err := os.Stat(target); err != nil {
-				if err := os.MkdirAll(target, 0755); err != nil {
+				if err := os.MkdirAll(target, 0600); err != nil {
 					return err
 				}
 			}
 
 		// if it's a file create it
 		case tar.TypeReg:
-			f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
+			f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, header.FileInfo().Mode())
 			if err != nil {
 				return err
 			}
 
+			limited := &io.LimitedReader{R: gzr, N: maxUncompressedOutput}
+
 			// copy over contents
-			if _, err := io.Copy(f, tr); err != nil {
+			if _, err := io.Copy(f, limited); err != nil {
 				return err
 			}
 
 			// manually close here after each file operation; defering would cause each file close
 			// to wait until all operations have completed.
-			f.Close()
+			if err := f.Close(); err != nil {
+				slog.Error("failed to close file", "err", err)
+			}
+
+			if limited.N == 0 {
+				// Limit exhausted → likely bomb
+				return fmt.Errorf("payload too large after decompression")
+			}
 		}
 	}
 }

pkg/tools/hash/hash.go

@@ -14,6 +14,7 @@ func FileMD5(fp string) (string, error) {
 	}
 	defer f.Close()
 
+	
 	hasher := md5.New()
 	if _, err := io.Copy(hasher, f); err != nil {
 		return "", err