Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move tar and zip extraction into a reusable package #371

Open
ahmetb opened this issue Nov 10, 2019 · 2 comments
Open

Move tar and zip extraction into a reusable package #371

ahmetb opened this issue Nov 10, 2019 · 2 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/P3 P3 issues or PRs

Comments

@ahmetb
Copy link
Member

ahmetb commented Nov 10, 2019

/kind cleanup
/priority P3

As shown in in the security advisory it's hard to reason about TAR extraction and more importantly: do the job securely.

Let's move the tar + zip extraction code out of pkg/downloader to its own package somewhere so we can use it in other projects.

It would be great to have some of the options to these methods configurable, this would also make tests easier, such as objects like TarGzExtractOptions and ZipExtractOptions with flags like:

  • skip verifying secure paths (default: false)
  • (for tarballs) skip pax header (default: true)
  • ... what else?
@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. priority/P3 P3 issues or PRs labels Nov 10, 2019
ferhatelmas added a commit to ferhatelmas/krew that referenced this issue Nov 13, 2019
Right archiver doesn't handle security issue
but there is an existing PR to handle it.
Added walker to handle until upstream is fixed.

fixes kubernetes-sigs#371
ferhatelmas added a commit to ferhatelmas/krew that referenced this issue Nov 13, 2019
Right now, archiver doesn't handle security issue
but there is an existing PR to handle it.
Added walker to handle until upstream is fixed.
When it's updated with go modules, walker can be dropped.

fixes kubernetes-sigs#371
@ahmetb ahmetb added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Nov 14, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 12, 2020
@ahmetb
Copy link
Member Author

ahmetb commented Feb 12, 2020

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/P3 P3 issues or PRs
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants