cli/context/store: extract importTLSEntry helper

texasich · texasich · commit 580b3e50cfd2 · 2026-04-20T10:20:53.000-05:00
Pulls the per-entry TLS decoding out of importZip so the outer loop stays
under gocyclo's complexity limit. Pure refactor, no behavior change.

Signed-off-by: texasich &lt;texasich@users.noreply.github.com&gt;
diff --git a/cli/context/store/store.go b/cli/context/store/store.go
@@ -474,24 +474,7 @@ func importZip(name string, s Writer, reader io.Reader) error {
 			}
 			importedMetaFile = true
 		} else if strings.HasPrefix(zf.Name, "tls/") {
-			// Reject entries whose advertised uncompressed size exceeds
-			// the per-file cap without decompressing, to avoid allocating
-			// gigabytes for a zip bomb (see #6917).
-			if zf.UncompressedSize64 > uint64(maxAllowedFileSizeToImport) {
-				return invalidParameter(fmt.Errorf("%s: tls file exceeds maximum allowed size", zf.Name))
-			}
-			f, err := zf.Open()
-			if err != nil {
-				return err
-			}
-			// Defense in depth in case the zip header is spoofed.
-			data, err := io.ReadAll(&limitedReader{R: f, N: maxAllowedFileSizeToImport})
-			defer f.Close()
-			if err != nil {
-				return err
-			}
-			err = importEndpointTLS(&tlsData, zf.Name, data)
-			if err != nil {
+			if err := importTLSEntry(zf, &tlsData); err != nil {
 				return err
 			}
 		}
@@ -502,6 +485,26 @@ func importZip(name string, s Writer, reader io.Reader) error {
 	return s.ResetTLSMaterial(name, &tlsData)
 }
 
+func importTLSEntry(zf *zip.File, tlsData *ContextTLSData) error {
+	// Reject entries whose advertised uncompressed size exceeds
+	// the per-file cap without decompressing, to avoid allocating
+	// gigabytes for a zip bomb (see #6917).
+	if zf.UncompressedSize64 > uint64(maxAllowedFileSizeToImport) {
+		return invalidParameter(fmt.Errorf("%s: tls file exceeds maximum allowed size", zf.Name))
+	}
+	f, err := zf.Open()
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	// Defense in depth in case the zip header is spoofed.
+	data, err := io.ReadAll(&limitedReader{R: f, N: maxAllowedFileSizeToImport})
+	if err != nil {
+		return err
+	}
+	return importEndpointTLS(tlsData, zf.Name, data)
+}
+
 func parseMetadata(data []byte, name string) (Metadata, error) {
 	var meta Metadata
 	if err := json.Unmarshal(data, &meta); err != nil {
