Skip to content

oci: preserve dir mode when extracting tar layers#1151

Merged
stefanprodan merged 1 commit intofluxcd:mainfrom
frazew:pull-preserve-mode
Apr 14, 2026
Merged

oci: preserve dir mode when extracting tar layers#1151
stefanprodan merged 1 commit intofluxcd:mainfrom
frazew:pull-preserve-mode

Conversation

@frazew
Copy link
Copy Markdown
Contributor

@frazew frazew commented Mar 20, 2026

OCI push/pull/diff is currently not "round-trip" safe, because the tar extraction function hardcodes 0o750 for directories

This:

flux push artifact oci://$OCI_REGISTRY/test:0.0.1 --path=oci/testdata/artifact/ --source=test --revision=test

TEMP_DIR=$(mktemp -d)
flux pull artifact oci://$OCI_REGISTRY/test:0.0.1 --output=$TEMP_DIR
echo diff with local directory
flux diff artifact oci://$OCI_REGISTRY/test:0.0.1 --path=oci/testdata/artifact/
echo diff with pulled directory
flux diff artifact oci://$OCI_REGISTRY/test:0.0.1 --path=$TEMP_DIR

Outputs the following, which feels very weird:

► pushing artifact to <registry>/namespace-busy-buck/test:0.0.1
✔ artifact successfully pushed to <registry>/namespace-busy-buck/test@sha256:9ef46286aa2a7377a88ba47ec010d87828798df636fe97d91709589f8f612c52
► pulling artifact from <registry>/namespace-busy-buck/test:0.0.1
✔ source test
✔ revision test
✔ digest <registry>/namespace-busy-buck/test@sha256:9ef46286aa2a7377a88ba47ec010d87828798df636fe97d91709589f8f612c52
✔ artifact content extracted to /tmp/tmp.fvo5yauoUa
diff with local directory
✔ no changes detected
diff with pulled directory
✗ the remote artifact contents differs from the local one

This was noticed while debugging why flux diff always returned a diff, even for seemingly identical file trees. Maybe there's a specific reason for doing that, but I couldn't find one while looking around the git / Github PR history!

There's (in my opinion) another issue with file modes not being fixed when creating the tar layers, but that would need to be in another PR and might need discussion because it might be a breaking change? (i.e. I think the code here should also rewrite header.Mode to 0o750/0o640 so that umask differences between machines don't impact the final artifact)

@frazew frazew requested review from a team and stefanprodan as code owners March 20, 2026 11:04
@frazew frazew force-pushed the pull-preserve-mode branch from 6f83d33 to e6725e8 Compare March 20, 2026 11:12
stefanprodan
stefanprodan reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change, a maliciously crafted artifact could now create world-writable directories (0o777) that source-controller would process. Not sure if this would not result in a CVE. cc @hiddeco

Comment thread tar/tar.go Outdated
@frazew frazew force-pushed the pull-preserve-mode branch from e6725e8 to a187017 Compare April 9, 2026 12:45
hiddeco
hiddeco reviewed Apr 13, 2026
View reviewed changes
Comment thread tar/tar.go Outdated
@frazew frazew force-pushed the pull-preserve-mode branch 2 times, most recently from 4164d36 to 7b19d37 Compare April 13, 2026 15:18
stefanprodan
stefanprodan reviewed Apr 14, 2026
View reviewed changes
Comment thread tar/tar_test.go Outdated
Comment thread tar/tar_test.go Outdated
@frazew frazew force-pushed the pull-preserve-mode branch from 7b19d37 to 81b2c28 Compare April 14, 2026 08:07
@stefanprodan
Copy link
Copy Markdown
Member

stefanprodan commented Apr 14, 2026

Hey @frazew is Scaleway using Flux? If so, could you please add it to the adopters page here: https://fluxcd.io/adopters/

Thanks!

@frazew frazew mentioned this pull request Apr 14, 2026
Merged
@stefanprodan stefanprodan added the area/oci OCI related issues and pull requests label Apr 14, 2026
@stefanprodan
Copy link
Copy Markdown
Member

stefanprodan commented Apr 14, 2026

@frazew can you rebase with upstream main and force push.

@frazew
oci: preserve dir mode when extracting tar layers
84aa850 
OCI push/pull/diff is currently not "round-trip" safe, because the tar
extraction function hardcodes 0o750 for directories

Signed-off-by: François HORTA <fhorta@scaleway.com>
@frazew frazew force-pushed the pull-preserve-mode branch from 81b2c28 to 84aa850 Compare April 14, 2026 10:08
stefanprodan
stefanprodan approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @frazew

PS. This will be included in Flux 2.9 (@hiddeco will replicate the new behaviour in source-controller which will be a breaking change)

@stefanprodan stefanprodan merged commit 188ca35 into fluxcd:main Apr 14, 2026
14 checks passed
@frazew
Copy link
Copy Markdown
Contributor Author

frazew commented Apr 14, 2026

thanks a lot for your reviews and time!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

@hiddeco hiddeco hiddeco approved these changes

Assignees

No one assigned

Labels

area/oci OCI related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@frazew @stefanprodan @hiddeco