github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/internal/file/copy.go

github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/internal/file/copy.go (about)

     1  package file
     2  
     3  import (
     4  	"errors"
     5  	"fmt"
     6  	"io"
     7  )
     8  
     9  const perFileReadLimit = 2 * GB
    10  
    11  // safeCopy limits the copy from the reader. This is useful when extracting files from archives to
    12  // protect against decompression bomb attacks.
    13  func safeCopy(writer io.Writer, reader io.Reader) error {
    14  	numBytes, err := io.Copy(writer, io.LimitReader(reader, perFileReadLimit))
    15  	if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
    16  		return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
    17  	}
    18  	return nil
    19  }