update(cmd/internal): add a function to copy bytes in chunks

better memory footprint and solving gosec problem

Signed-off-by: Lorenzo Susini <[email protected]>

Author: loresuso

cmd/internal/utils/extract.go

@@ -17,6 +17,7 @@ package utils
 import (
 	"archive/tar"
 	"compress/gzip"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -32,10 +33,10 @@ func ExtractTarGz(gzipStream io.Reader, destDir string) error {
 
 	tarReader := tar.NewReader(uncompressedStream)
 
-	for true {
+	for {
 		header, err := tarReader.Next()
 
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
 		}
 
@@ -45,16 +46,19 @@ func ExtractTarGz(gzipStream io.Reader, destDir string) error {
 
 		switch header.Typeflag {
 		case tar.TypeDir:
-			return fmt.Errorf("unexepected dir inside the archive. Expected to find only files without any tree structure.")
+			return fmt.Errorf("unexepected dir inside the archive, expected to find only files without any tree structure")
 		case tar.TypeReg:
-			outFile, err := os.Create(filepath.Join(destDir, header.Name))
+			outFile, err := os.Create(filepath.Clean(filepath.Join(destDir, filepath.Clean(header.Name))))
 			if err != nil {
 				return err
 			}
-			if _, err := io.Copy(outFile, tarReader); err != nil {
+			if err := copyInChunks(outFile, tarReader); err != nil {
+				return err
+			}
+			err = outFile.Close()
+			if err != nil {
 				return err
 			}
-			outFile.Close()
 
 		default:
 			return fmt.Errorf("extractTarGz: uknown type: %b in %s", header.Typeflag, header.Name)
@@ -63,3 +67,17 @@ func ExtractTarGz(gzipStream io.Reader, destDir string) error {
 
 	return nil
 }
+
+func copyInChunks(dst io.Writer, src io.Reader) error {
+	for {
+		_, err := io.CopyN(dst, src, 1024)
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				break
+			}
+			return err
+		}
+	}
+
+	return nil
+}