Inconsistency between packaged directory and title annotation in layer

[rreich]

Description of the bug

When packing a directory, the org.opencontainers.image.title annotation is set to the given directory, but instead of the directory only its content is packaged, which leads to inconsistency of the annotation and the actual content.

I think the bug has been introduced with #283.

The inconsistent title leads to errors like this when pulling with the oras-cli:

Error: failed to extract tar to /workspace/my-directory: "my-file.txt" is outside of "my-directory".

When pushing with the oras-cli, the given directory is included in the image, which would match the behavior of oras-java-sdk before the mentioned PR if I understand correctly.

IMHO to prevent path-traversal attacks it would be enough to not allow ".." as a path segment in the given directory.

Used versions:

• oras-java-sdk: 0.2.14
• oras-cli: v1.2.3

Workaround:
Append "/." to the LocalPath:

LocalPath.of((fileOrDirectory.isDirectory() ? new File(fileOrDirectory, ".") : fileOrDirectory).toPath())

[jonesbusy]

I see, it seems there are also multiple issue.

1. The title annotation is wrong when using subpath like foo/bar due to

.withAnnotations(Map.of(
        Const.ANNOTATION_TITLE,
        path.getPath().getFileName().toString(),

Entries are always added at the root, ignoring the relative source path

ORAS Go also block by default absolute path

Error: absolute file path detected. If it's intentional, use --disable-path-validation flag to skip this check: /home/****/oras-java

I think 1 and 3 always existed and 2 migh have be cause by #283

[jonesbusy]

Thanks for the report

Fixed by #356

I will release 0.2.15 in some moment

[rreich]

That was quick. Thanks for the fix!