Fix partial read edge cases (#969)

egibs · web-flow · commit 197169914a84 · 2025-05-30T11:45:35.000-07:00
* Fix partial read edge cases

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Preserve directory structure when extracting nested archives

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Avoid extracting archives that will collide with existing files

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Remove archive files we aren't going to extract

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Append the timestamp to duplicate macOS files instead of _file

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Modify overlapping directory names to extract everything

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Use archivePath in logs

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

---------

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/pkg/action/archive_test.go b/pkg/action/archive_test.go
@@ -348,6 +348,55 @@ func TestScanInvalidArchiveIgnore(t *testing.T) {
 	}
 }
 
+func TestScanConflictingArchiveFiles(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	clog.FromContext(ctx).With("test", "scan_conflicting_archive_files")
+
+	var out bytes.Buffer
+	r, err := render.New("json", &out)
+	if err != nil {
+		t.Fatalf("render: %v", err)
+	}
+
+	rfs := []fs.FS{rules.FS, thirdparty.FS}
+	yrs, err := CachedRules(ctx, rfs)
+	if err != nil {
+		t.Fatalf("rules: %v", err)
+	}
+
+	mc := malcontent.Config{
+		Concurrency:    runtime.NumCPU(),
+		ExitExtraction: false,
+		IgnoreSelf:     false,
+		MinFileRisk:    0,
+		MinRisk:        0,
+		Renderer:       r,
+		Rules:          yrs,
+		ScanPaths: []string{
+			"testdata/conflict.zip",
+		},
+	}
+	res, err := Scan(ctx, mc)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := r.Full(ctx, nil, res); err != nil {
+		t.Fatalf("full: %v", err)
+	}
+
+	got := out.String()
+	td, err := os.ReadFile("testdata/scan_conflict")
+	if err != nil {
+		t.Fatalf("testdata read failed: %v", err)
+	}
+	want := string(td)
+
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("output mismatch: (-want +got):\n%s", diff)
+	}
+}
+
 func TestGetExt(t *testing.T) {
 	tests := []struct {
 		path string
diff --git a/pkg/action/testdata/conflict.zip b/pkg/action/testdata/conflict.zip
diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -1,7 +1,7 @@
 {
     "Files": {
-        "/apko_0.13.2_linux_arm64/apko": {
-            "Path": "testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko",
+        "/apko_0.13.2_linux_arm64/apko_0.13.2_linux_arm64/apko": {
+            "Path": "testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko_0.13.2_linux_arm64/apko",
             "SHA256": "ad237dc65d25cfe673b4891e189e9ff1fd041ec817133ac6c565120a6a189189",
             "Size": 26400952,
             "Syscalls": [
diff --git a/pkg/action/testdata/scan_conflict b/pkg/action/testdata/scan_conflict
@@ -0,0 +1 @@
+{}
diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
@@ -10,6 +10,7 @@ import (
 	"runtime"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/malcontent/pkg/pool"
@@ -32,7 +33,7 @@ func IsValidPath(target, dir string) bool {
 	return strings.HasPrefix(filepath.Clean(target), filepath.Clean(dir))
 }
 
-func extractNestedArchive(ctx context.Context, d string, f string, extracted *sync.Map) error {
+func extractNestedArchive(ctx context.Context, d string, f string, extracted *sync.Map, logger *clog.Logger) error {
 	if ctx.Err() != nil {
 		return ctx.Err()
 	}
@@ -87,14 +88,28 @@ func extractNestedArchive(ctx context.Context, d string, f string, extracted *sy
 		return nil
 	}
 
-	err = extract(ctx, d, fullPath)
+	archivePath := filepath.Join(d, strings.TrimSuffix(f, programkind.GetExt(f)))
+	// Some packages may have archives and files with colliding names
+	// e.g., demo_page.css and demo_page.css.gz
+	// the former is the uncompressed version of the latter
+	// if we encounter this, replace the name with something that won't collide
+	if _, err := os.Stat(archivePath); err == nil {
+		logger.Debugf("duplicate file name already exists, modifying directory name for %s", archivePath)
+		archivePath = fmt.Sprintf("%s%d", archivePath, time.Now().UnixNano())
+	}
+
+	if err := os.MkdirAll(archivePath, 0o755); err != nil {
+		return fmt.Errorf("failed to create extraction directory: %w", err)
+	}
+
+	err = extract(ctx, archivePath, fullPath)
 	if err != nil {
 		return fmt.Errorf("failed to extract archive: %w", err)
 	}
 
 	extracted.Store(f, true)
 
-	if err := os.RemoveAll(fullPath); err != nil {
+	if err := os.Remove(fullPath); err != nil {
 		return fmt.Errorf("failed to remove archive file: %w", err)
 	}
 
@@ -109,7 +124,7 @@ func extractNestedArchive(ctx context.Context, d string, f string, extracted *sy
 		}
 		rel := file.Name()
 		if _, alreadyProcessed := extracted.Load(rel); !alreadyProcessed {
-			if err := extractNestedArchive(ctx, d, rel, extracted); err != nil {
+			if err := extractNestedArchive(ctx, d, rel, extracted, logger); err != nil {
 				return fmt.Errorf("process nested file %s: %w", rel, err)
 			}
 		}
@@ -187,7 +202,7 @@ func ExtractArchiveToTempDir(ctx context.Context, path string) (string, error) {
 
 		ext := programkind.GetExt(path)
 		if _, ok := programkind.ArchiveMap[ext]; ok {
-			if err := extractNestedArchive(ctx, tmpDir, rel, &extractedFiles); err != nil {
+			if err := extractNestedArchive(ctx, tmpDir, rel, &extractedFiles, logger); err != nil {
 				return err
 			}
 		}
diff --git a/pkg/archive/bz2.go b/pkg/archive/bz2.go
@@ -2,6 +2,7 @@ package archive
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -49,7 +50,7 @@ func ExtractBz2(ctx context.Context, d, f string) error {
 	if !IsValidPath(target, d) {
 		return fmt.Errorf("invalid file path: %s", target)
 	}
-	if err := os.MkdirAll(d, 0o700); err != nil {
+	if err := os.MkdirAll(filepath.Dir(target), 0o700); err != nil {
 		return fmt.Errorf("failed to create directory for file: %w", err)
 	}
 
@@ -73,20 +74,22 @@ func ExtractBz2(ctx context.Context, d, f string) error {
 		}
 
 		n, err := br.Read(buf)
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return fmt.Errorf("failed to read file contents: %w", err)
+		if n > 0 {
+			written += int64(n)
+			if written > maxBytes {
+				return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+			}
+			if _, writeErr := out.Write(buf[:n]); writeErr != nil {
+				return fmt.Errorf("failed to write file contents: %w", writeErr)
+			}
 		}
 
-		written += int64(n)
-		if written > maxBytes {
-			return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+		if errors.Is(err, io.EOF) {
+			break
 		}
 
-		if _, err := out.Write(buf[:n]); err != nil {
-			return fmt.Errorf("failed to write file contents: %w", err)
+		if err != nil {
+			return fmt.Errorf("failed to read file contents: %w", err)
 		}
 	}
 
diff --git a/pkg/archive/gzip.go b/pkg/archive/gzip.go
@@ -90,21 +90,24 @@ func ExtractGzip(ctx context.Context, d string, f string) error {
 		}
 
 		n, err := gr.Read(buf)
+		if n > 0 {
+			written += int64(n)
+			if written > maxBytes {
+				return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+			}
+
+			if _, writeErr := out.Write(buf[:n]); writeErr != nil {
+				return fmt.Errorf("failed to write file contents: %w", writeErr)
+			}
+		}
+
 		if errors.Is(err, io.EOF) {
 			break
 		}
+
 		if err != nil {
 			return fmt.Errorf("failed to read file contents: %w", err)
 		}
-
-		written += int64(n)
-		if written > maxBytes {
-			return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
-		}
-
-		if _, err := out.Write(buf[:n]); err != nil {
-			return fmt.Errorf("failed to write file contents: %w", err)
-		}
 	}
 
 	return nil
diff --git a/pkg/archive/rpm.go b/pkg/archive/rpm.go
@@ -128,21 +128,23 @@ func ExtractRPM(ctx context.Context, d, f string) error {
 			}
 
 			n, err := cr.Read(buf)
+			if n > 0 {
+				written += int64(n)
+				if written > maxBytes {
+					return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+				}
+				if _, writeErr := out.Write(buf[:n]); writeErr != nil {
+					return fmt.Errorf("failed to write file contents: %w", writeErr)
+				}
+			}
+
 			if errors.Is(err, io.EOF) {
 				break
 			}
+
 			if err != nil {
 				return fmt.Errorf("failed to read file contents: %w", err)
 			}
-
-			written += int64(n)
-			if written > maxBytes {
-				return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
-			}
-
-			if _, err := out.Write(buf[:n]); err != nil {
-				return fmt.Errorf("failed to write file contents: %w", err)
-			}
 		}
 
 		if err := out.Close(); err != nil {
diff --git a/pkg/archive/tar.go b/pkg/archive/tar.go
@@ -114,23 +114,22 @@ func ExtractTar(ctx context.Context, d string, f string) error {
 			}
 
 			n, err := xzStream.Read(buf)
-			if errors.Is(err, io.EOF) {
-				break
-			}
-			if err != nil {
-				if strings.Contains(err.Error(), "unexpected EOF") && n > 0 {
-					break
+			if n > 0 {
+				written += int64(n)
+				if written > maxBytes {
+					return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+				}
+				if _, writeErr := out.Write(buf[:n]); writeErr != nil {
+					return fmt.Errorf("failed to write file contents: %w", writeErr)
 				}
-				return fmt.Errorf("failed to read file contents: %w", err)
 			}
 
-			written += int64(n)
-			if written > maxBytes {
-				return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+			if errors.Is(err, io.EOF) {
+				break
 			}
 
-			if _, err := out.Write(buf[:n]); err != nil {
-				return fmt.Errorf("failed to write file contents: %w", err)
+			if err != nil {
+				return fmt.Errorf("failed to read file contents: %w", err)
 			}
 		}
 		return nil
@@ -152,20 +151,23 @@ func ExtractTar(ctx context.Context, d string, f string) error {
 			}
 
 			n, err := br.Read(buf)
-			if err == io.EOF {
-				break
-			}
-			if err != nil {
-				return fmt.Errorf("failed to read file contents: %w", err)
+			if n > 0 {
+				written += int64(n)
+				if written > maxBytes {
+					return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+				}
+
+				if _, writeErr := out.Write(buf[:n]); writeErr != nil {
+					return fmt.Errorf("failed to write file contents: %w", writeErr)
+				}
 			}
 
-			written += int64(n)
-			if written > maxBytes {
-				return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+			if errors.Is(err, io.EOF) {
+				break
 			}
 
-			if _, err := out.Write(buf[:n]); err != nil {
-				return fmt.Errorf("failed to write file contents: %w", err)
+			if err != nil {
+				return fmt.Errorf("failed to read file contents: %w", err)
 			}
 		}
 		return nil
diff --git a/pkg/archive/zip.go b/pkg/archive/zip.go
@@ -2,13 +2,15 @@ package archive
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/malcontent/pkg/pool"
@@ -113,6 +115,14 @@ func extractFile(ctx context.Context, file *zip.File, destDir string, logger *cl
 		return ctx.Err()
 	}
 
+	// macOS will encounter issues with paths like META-INF/LICENSE and META-INF/license/foo
+	// this case insensitivity will break scans, so rename files that collide with existing directories
+	if runtime.GOOS == "darwin" {
+		if _, err := os.Stat(filepath.Join(destDir, file.Name)); err == nil {
+			file.Name = fmt.Sprintf("%s%d", file.Name, time.Now().UnixNano())
+		}
+	}
+
 	buf := zipPool.Get(zipBuffer)
 
 	clean := filepath.Clean(filepath.ToSlash(file.Name))
@@ -154,20 +164,23 @@ func extractFile(ctx context.Context, file *zip.File, destDir string, logger *cl
 		}
 
 		n, err := src.Read(buf)
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return fmt.Errorf("failed to read file contents: %w", err)
+		if n > 0 {
+			written += int64(n)
+			if written > maxBytes {
+				return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+			}
+
+			if _, writeErr := dst.Write(buf[:n]); writeErr != nil {
+				return fmt.Errorf("failed to write file contents: %w", writeErr)
+			}
 		}
 
-		written += int64(n)
-		if written > maxBytes {
-			return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+		if errors.Is(err, io.EOF) {
+			break
 		}
 
-		if _, err := dst.Write(buf[:n]); err != nil {
-			return fmt.Errorf("failed to write file contents: %w", err)
+		if err != nil {
+			return fmt.Errorf("failed to read file contents: %w", err)
 		}
 	}
 
diff --git a/pkg/archive/zlib.go b/pkg/archive/zlib.go
diff --git a/pkg/archive/zstd.go b/pkg/archive/zstd.go
diff --git a/pkg/refresh/action.go b/pkg/refresh/action.go
