tar-split

mirror of https://github.com/vbatts/tar-split.git synced 2025-02-13 05:07:51 +00:00

Author	SHA1	Message	Date
Vincent Batts	1c425c4aaa	archive/tar: fix for CVE-2022-2879 Fixes: #76 In a specially crafted tar archive can cause `io.ReadAll()` to overrun the memory. The fix is taken from upstream golang, as this tar-split repo carries an old fork from upstream. Thanks to @tojoos and @bainsy88 for reporting. References: - https://nvd.nist.gov/vuln/detail/cve-2022-2879 - https://github.com/golang/go/commit/0bf7ee9 - https://go-review.googlesource.com/c/go/+/439355/2/src/archive/tar/reader.go#106 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2025-01-20 10:25:58 -05:00
Vincent Batts	cc780eeb0b	Merge pull request #74 from vbatts/funding funding: adding github funding configuration	2024-10-24 13:34:30 -04:00
Vincent Batts	fc0525c564	funding: adding github funding configuration Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2024-10-24 17:32:24 +00:00
Vincent Batts	b29a6c0613	Merge pull request #73 from vbatts/update-mods Update mods	2024-10-21 10:55:34 -04:00
Vincent Batts	26344cb0e1	github: update golang version used for lint test Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2024-10-21 14:40:57 +00:00
Vincent Batts	18eabcdcca	go*: update modules Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2024-10-21 14:33:58 +00:00
Vincent Batts	5fa6536fc3	magefile: update golangci-lint 1.51.2 -> 1.61.0 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2024-10-21 14:32:54 +00:00
Vincent Batts	1f44cc4dc3	Merge pull request #70 from vbatts/update-mods Update mods	2024-09-26 20:14:20 -04:00
Vincent Batts	f39ca648b8	go*: update modules Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2024-09-27 00:11:48 +00:00
Vincent Batts	ac25d96350	Merge pull request #72 from vbatts/go-versions github: drop go1.17, and add go1.21 & go1.22	2024-09-26 20:11:19 -04:00
Vincent Batts	84c1d450ea	github: drop go1.17, and add go1.21 & go1.22 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2024-09-27 00:08:58 +00:00
Vincent Batts	93a41cfb1a	Merge pull request #71 from mtrmac/iterate Add tar/asm.IterateHeaders	2024-09-26 19:48:18 -04:00
Miloslav Trmač	99c8914877	Add tar/asm.IterateHeaders This allows reading the metadata contained in tar-split without expensively recreating the whole tar stream including full contents. We have two use cases for this: - In a situation where tar-split is distributed along with a separate metadata stream, ensuring that the two are exactly consistent - Reading the tar headers allows making a ~cheap check of consistency of on-disk layers, just checking that the files exist in expected sizes, without reading the full contents. This can be implemented outside of this repo, but it's not ideal: - The function necessarily hard-codes some assumptions about how tar-split determines the boundaries of SegmentType/FileType entries (or, indeed, whether it uses FileType entries at all). That's best maintained directly beside the code that creates this. - The ExpectedPadding() value is not currently exported, so the consumer would have to heuristically guess where the padding ends. Signed-off-by: Miloslav Trmač <mitr@redhat.com>	2024-09-11 20:01:49 +02:00
Vincent Batts	fe4605ae8b	Merge pull request #69 from testwill/typo fix: utility typo	2023-08-26 07:26:36 -05:00
guoguangwu	bd00927367	fix: utility typo	2023-08-26 16:23:45 +08:00
Vincent Batts	5ef0dd8243	Merge pull request #68 from mtrmac/read-0-nil Correctly handle Read returning (0, nil)	2023-07-22 13:09:38 -04:00
Miloslav Trmač	cd197d3076	Correctly handle Read returning (0, nil) It's not an EOF indication. Signed-off-by: Miloslav Trmač <mitr@redhat.com>	2023-07-22 02:35:45 +02:00
Vincent Batts	9982e470fa	Merge pull request #67 from vbatts/troubleshoot_65 don't add a padding entry if it has no bytes	2023-07-21 09:10:47 -04:00
Vincent Batts	b6372414e5	tar/asm: don't add a padding entry if it has no bytes Fixes #65 if the read bytes is 0, then don't even create the entry for that padding. This sounds like the solution for the issue opened, but I haven't found a reproducer for this issue yet. :-\ Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-07-21 09:02:43 -04:00
Vincent Batts	cad1f451fd	tar/asm: troubleshooting padding EOF issue Reference #65 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-07-21 09:02:29 -04:00
Vincent Batts	db25994f5b	Merge pull request #66 from testwill/ioutil chore: remove refs to deprecated io/ioutil	2023-07-20 11:41:06 -04:00
guoguangwu	919f9abf38	chore: remove refs to deprecated io/ioutil Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>	2023-07-20 23:00:46 +08:00
Vincent Batts	f966b14096	magefile: attempting to recreate `make` file dependencies this is sloppy/clunky :-\ Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-04-27 14:19:40 -04:00
Vincent Batts	724d595c03	magefile: include benchmark in test Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-04-27 14:12:07 -04:00
Vincent Batts	58175ba396	Merge pull request #64 from vbatts/mage Housekeeping!	2023-03-26 14:20:38 -04:00
Vincent Batts	e4450847fb	tar/storage: remove TODO's on sailed shipped for changing the encoding this function is used widely and it's JSON. And it was not written in such a way as to have exchangable codec.. per se So, maybe I'll just kick out the idea of using https://github.com/ugorji/go Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-26 14:10:16 -04:00
Vincent Batts	075c33cadf	*: mage, drop go1.1{5,6}, module updates, drop vendor Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-26 14:01:33 -04:00
Vincent Batts	16d1376be9	README: update the doc URLs Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 22:53:36 -04:00
Vincent Batts	95fc9b62ed	version: move version into the app main ssssss-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 22:49:08 -04:00
Vincent Batts	3cdf99b6d4	Merge pull request #63 from vbatts/go_updates *go: update all modules to the latest still compatible with go1.15	2023-03-25 22:25:25 -04:00
Vincent Batts	de24f79d5d	*go: update all modules to the latest still compatible with go1.15 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 22:20:56 -04:00
Vincent Batts	dea500a137	Merge pull request #62 from vbatts/gofmt *.go: `gomft -s -w`	2023-03-25 21:08:59 -04:00
Vincent Batts	32b8c61be1	Merge pull request #61 from vbatts/badge README: switch to the github action badges	2023-03-25 21:08:06 -04:00
Vincent Batts	2b88967591	*.go: `gomft -s -w` Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 21:05:25 -04:00
Vincent Batts	679a7948ae	README: switch to the github action badges Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 21:00:42 -04:00
Vincent Batts	da105eb683	Merge pull request #60 from vbatts/workflows Workflows	2023-03-25 20:56:13 -04:00
Vincent Batts	bc1624cbfc	archive/tar: linting errors I intend to not make changes to this `archive/tar` that aren't from upstream, or are not directly related to the usage by this project... Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 20:45:37 -04:00
Vincent Batts	516158dbfb	*.go: linting project specific code the pointer to the pool may be useful, but holding on that until I get benchmarks of memory use to show the benefit. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 20:45:23 -04:00
Vincent Batts	19fa6f3d1e	github/workflow: first pass May add magefile/mage next, but it seems to require go1.17? So, I'm holding off for a minute. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 20:39:31 -04:00
Vincent Batts	3c599ed534	travis: be gone with you! Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 20:39:06 -04:00
Vincent Batts	70fb294a9b	tar/asm: go vet fixes on go1.19.7 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2023-03-25 20:38:36 -04:00
Vincent Batts	80a436fd61	Merge pull request #54 from mtrmac/allocations Avoid a 32 kB file allocation on every bitBucketFilePutter.Put	2021-08-23 06:18:35 -04:00
Miloslav Trmač	8d76363085	Avoid a 32 kB file allocation on every bitBucketFilePutter.Put io.Copy usually allocates a 32kB buffer, and due to the large number of files processed by tar-split, this shows up in Go profiles as a very large alloc_space total. It doesn't seem to actually be a measurable problem in any way, but we can allocate the buffer only once per tar-split creation, at no additional cost to existing allocations, so let's do so, and remove the distraction. Signed-off-by: Miloslav Trmač <mitr@redhat.com>	2021-08-21 03:24:39 +02:00
Vincent Batts	05e7c395fb	Merge pull request #53 from asellappen/master Add poweron architecture ppc64le to travis build	2020-10-28 07:32:45 -04:00
asellappen	6b914ec7a4	Add poweron architecture ppc64le to travis build travis build to support	2020-10-28 11:46:55 +05:30
Vincent Batts	4b50e3822d	Merge pull request #52 from vbatts/vendor go mod and vendoring	2020-10-27 20:19:30 -04:00
Vincent Batts	f78d1a4af1	travis: test from go1.10 - go1.15 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2020-10-27 12:10:43 -04:00
Vincent Batts	ec6b1ae20e	vendor the dependencies There is a discrepancy of behavior of `github.com/urfave/cli` between using go1.12 and go1.15, when the dependency is not present as vendored source. Now this builds fine with go1.12 There are users of tar-split as a package. It is the hope that by adding this vendored source it does not impact them depending on tar-split itself. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2020-10-27 12:10:40 -04:00
Vincent Batts	a62c8017af	go mod closer coupling to versions of depencies Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2020-10-27 12:10:36 -04:00
Vincent Batts	620714a4c5	Merge pull request #49 from steveb/asm-compress Add --compress flag to tar-split asm	2018-10-22 15:49:18 +01:00

1 2 3 4 5 ...

254 commits