Reject symlinks in OCI layout blobs by mosskappa · Pull Request #2306 · google/go-containerregistry (original) (raw)

Summary

This change makes OCI layout blob reads reject symlinks and other non-regular files before returning blob contents.

layout.Path.Blob and layout.Path.Bytes now share the same open path, which:

• uses Lstat to reject symlinks before opening the blob path
• rejects non-regular files
• verifies the opened file still matches the original filesystem entry

This prevents local OCI layouts from resolving blobs/<algorithm>/<hex> entries through symlinks when used by layout readers and commands such as crane push or crane index append.

Tests

Run in Docker on Linux so symlink behavior is exercised:

docker run --rm -v ${PWD}:/src -w /src golang:1.25 go test ./pkg/v1/layout ./cmd/crane/cmd -run 'TestLayoutBlobSymlink|TestLayoutAppendImageSymlink|TestCranePushLayoutSymlinkBlobNotUploaded' -count=1 -v

All targeted tests passed.