thelilfrog/cloudsave
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 8 Wiki Activity

fixing sec issues
Some checks failed
CloudSave/pipeline/head There was a failure building this commit
Details

Browse Source
This commit is contained in:
Aurélie DELHAIE
2025-09-07 01:14:19 +02:00
parent b3232e79d5
commit af11e843a4
13 changed files with 88 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/tools/archive/archive.go
View File

@@ -5,10 +5,17 @@ import (
"compress/gzip"
"fmt"
"io"
"log/slog"
"os"
"path/filepath"
)
const (
// Tune these to your apps needs
maxCompressedUpload = 500 << 20 // 500 MiB compressed
maxUncompressedOutput = 1000 << 20 // 100 MiB after inflate
)
func Untar(file io.Reader, path string) error {
gzr, err := gzip.NewReader(file)
if err != nil {
@@ -49,26 +56,35 @@ func Untar(file io.Reader, path string) error {
// if its a dir and it doesn't exist create it
case tar.TypeDir:
if _, err := os.Stat(target); err != nil {
if err := os.MkdirAll(target, 0755); err != nil {
if err := os.MkdirAll(target, 0600); err != nil {
return err
}
}
// if it's a file create it
case tar.TypeReg:
f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, header.FileInfo().Mode())
if err != nil {
return err
}
limited := &io.LimitedReader{R: gzr, N: maxUncompressedOutput}
// copy over contents
if _, err := io.Copy(f, tr); err != nil {
if _, err := io.Copy(f, limited); err != nil {
return err
}
// manually close here after each file operation; defering would cause each file close
// to wait until all operations have completed.
f.Close()
if err := f.Close(); err != nil {
slog.Error("failed to close file", "err", err)
}
if limited.N == 0 {
// Limit exhausted → likely bomb
return fmt.Errorf("payload too large after decompression")
}
}
}
}