Test to check writeComposeFile detects invalid OCI artifact

ndeloof · glours · commit 6a90742ef29c · 2025-10-22T20:09:32.000+02:00
Signed-off-by: Nicolas De Loof &lt;nicolas.deloof@gmail.com&gt;
diff --git a/cmd/formatter/shortcut_windows.go b/cmd/formatter/shortcut_windows.go
@@ -22,4 +22,4 @@ package formatter
 func handleCtrlZ() {
 	// Windows doesn't support SIGSTOP/SIGCONT signals
 	// Ctrl+Z behavior is handled differently by the Windows terminal
-}
+}
diff --git a/pkg/compose/publish_test.go b/pkg/compose/publish_test.go
@@ -77,7 +77,8 @@ services:
 			MediaType: "application/vnd.docker.compose.file+yaml",
 			Annotations: map[string]string{
 				"com.docker.compose.file":    "compose.yaml",
-				"com.docker.compose.version": internal.Version},
+				"com.docker.compose.version": internal.Version,
+			},
 		},
 		{
 			MediaType: "application/vnd.docker.compose.file+yaml",
@@ -98,5 +99,4 @@ services:
 	assert.DeepEqual(t, expectedLayers, layers, cmp.FilterPath(func(path cmp.Path) bool {
 		return !slices.Contains([]string{".Data", ".Digest", ".Size"}, path.String())
 	}, cmp.Ignore()))
-
 }
diff --git a/pkg/compose/transform/replace.go b/pkg/compose/transform/replace.go
@@ -104,7 +104,6 @@ func ReplaceEnvFile(in []byte, service string, i int, value string) ([]byte, err
 	} else {
 		return replace(in, envFile.Line, envFile.Column, value), nil
 	}
-
 }
 
 func getMapping(root *yaml.Node, key string) (*yaml.Node, error) {
diff --git a/pkg/remote/oci.go b/pkg/remote/oci.go
@@ -179,7 +179,7 @@ func (g ociRemoteLoader) Dir(path string) string {
 	return g.known[path]
 }
 
-func (g ociRemoteLoader) pullComposeFiles(ctx context.Context, local string, manifest spec.Manifest, ref reference.Named, resolver remotes.Resolver) error { //nolint:gocyclo
+func (g ociRemoteLoader) pullComposeFiles(ctx context.Context, local string, manifest spec.Manifest, ref reference.Named, resolver remotes.Resolver) error {
 	err := os.MkdirAll(local, 0o700)
 	if err != nil {
 		return err
diff --git a/pkg/remote/oci_test.go b/pkg/remote/oci_test.go
@@ -19,6 +19,9 @@ package remote
 import (
 	"path/filepath"
 	"testing"
+
+	spec "github.com/opencontainers/image-spec/specs-go/v1"
+	"gotest.tools/v3/assert"
 )
 
 func TestValidatePathInBase(t *testing.T) {
@@ -84,11 +87,6 @@ func TestValidatePathInBase(t *testing.T) {
 			unsafePath: "..",
 			wantErr:    true,
 		},
-		{
-			name:       "current directory reference",
-			unsafePath: "./file.yaml",
-			wantErr:    false, // ./ resolves to base dir
-		},
 		{
 			name:       "mixed separators",
 			unsafePath: "config/sub\\file.yaml",
@@ -104,11 +102,6 @@ func TestValidatePathInBase(t *testing.T) {
 			unsafePath: "file-name_v1.2.3.yaml",
 			wantErr:    false,
 		},
-		{
-			name:       "single parent then back",
-			unsafePath: "../compose/file.yaml",
-			wantErr:    false, // Resolves back to base dir, which is fine
-		},
 	}
 
 	for _, tt := range tests {
@@ -123,3 +116,24 @@ func TestValidatePathInBase(t *testing.T) {
 		})
 	}
 }
+
+func TestWriteComposeFileWithExtendsPathTraversal(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create a layer with com.docker.compose.extends=true and a path traversal attempt
+	layer := spec.Descriptor{
+		MediaType: "application/vnd.docker.compose.file.v1+yaml",
+		Digest:    "sha256:test123",
+		Size:      100,
+		Annotations: map[string]string{
+			"com.docker.compose.extends": "true",
+			"com.docker.compose.file":    "../other",
+		},
+	}
+
+	content := []byte("services:\n  test:\n    image: nginx\n")
+
+	// writeComposeFile should return an error due to path traversal
+	err := writeComposeFile(layer, 0, tmpDir, content)
+	assert.Error(t, err, "invalid OCI artifact")
+}

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,6 @@ func ReplaceEnvFile(in []byte, service string, i int, value string) ([]byte, err`
`104`	`104`	`} else {`
`105`	`105`	`return replace(in, envFile.Line, envFile.Column, value), nil`
`106`	`106`	`}`
`107`		`-`
`108`	`107`	`}`
`109`	`108`
`110`	`109`	`func getMapping(root yaml.Node, key string) (yaml.Node, error) {`
Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ func (g ociRemoteLoader) Dir(path string) string {`
`179`	`179`	`return g.known[path]`
`180`	`180`	`}`
`181`	`181`
`182`		`-func (g ociRemoteLoader) pullComposeFiles(ctx context.Context, local string, manifest spec.Manifest, ref reference.Named, resolver remotes.Resolver) error { //nolint:gocyclo`
	`182`	`+func (g ociRemoteLoader) pullComposeFiles(ctx context.Context, local string, manifest spec.Manifest, ref reference.Named, resolver remotes.Resolver) error {`
`183`	`183`	`err := os.MkdirAll(local, 0o700)`
`184`	`184`	`if err != nil {`
`185`	`185`	`return err`