Description of the bug
When packing a directory, the org.opencontainers.image.title annotation is set to the given directory, but instead of the directory only its content is packaged, which leads to inconsistency of the annotation and the actual content.
I think the bug has been introduced with #283.
The inconsistent title leads to errors like this when pulling with the oras-cli:
Error: failed to extract tar to /workspace/my-directory: "my-file.txt" is outside of "my-directory".
When pushing with the oras-cli, the given directory is included in the image, which would match the behavior of oras-java-sdk before the mentioned PR if I understand correctly.
IMHO to prevent path-traversal attacks it would be enough to not allow ".." as a path segment in the given directory.
Used versions:
- oras-java-sdk: 0.2.14
- oras-cli: v1.2.3
Workaround:
Append "/." to the LocalPath:
LocalPath.of((fileOrDirectory.isDirectory() ? new File(fileOrDirectory, ".") : fileOrDirectory).toPath())
Description of the bug
When packing a directory, the
org.opencontainers.image.titleannotation is set to the given directory, but instead of the directory only its content is packaged, which leads to inconsistency of the annotation and the actual content.I think the bug has been introduced with #283.
The inconsistent title leads to errors like this when pulling with the oras-cli:
When pushing with the oras-cli, the given directory is included in the image, which would match the behavior of oras-java-sdk before the mentioned PR if I understand correctly.
IMHO to prevent path-traversal attacks it would be enough to not allow ".." as a path segment in the given directory.
Used versions:
Workaround:
Append "/." to the LocalPath: