Merge pull request #1173 from fluxcd/refactor-tar-idioms

stefanprodan · web-flow · commit 9b7ca2d8e4ed · 2026-04-15T15:58:05.000+03:00
tar: various internal improvements
diff --git a/tar/symlinks.go b/tar/symlinks.go
@@ -56,11 +56,11 @@ func ResolveSymlinks(srcDir, dstDir string) error {
 		return fmt.Errorf("srcDir %s is not a directory", absSrc)
 	}
 
-	if err := checkDstDir(dstDir); err != nil {
+	if err = checkDstDir(dstDir); err != nil {
 		return err
 	}
 
-	return copyResolvedDir(realSrc, dstDir, make(map[string]bool))
+	return copyDir("", realSrc, dstDir, make(map[string]bool))
 }
 
 // ResolveSymlinksRoot is the confined variant of ResolveSymlinks: every
@@ -109,11 +109,11 @@ func ResolveSymlinksRoot(rootDir, srcDir, dstDir string) error {
 		return fmt.Errorf("srcDir %s is not a directory", absSrc)
 	}
 
-	if err := checkDstDir(dstDir); err != nil {
+	if err = checkDstDir(dstDir); err != nil {
 		return err
 	}
 
-	return copyConfinedDir(realRoot, realSrc, dstDir, make(map[string]bool))
+	return copyDir(realRoot, realSrc, dstDir, make(map[string]bool))
 }
 
 // checkDstDir verifies that dstDir exists and is a directory.
@@ -128,13 +128,16 @@ func checkDstDir(dstDir string) error {
 	return nil
 }
 
-// copyResolvedDir recursively copies srcDir (already resolved via
-// EvalSymlinks) into dstDir. visited tracks resolved directory paths
-// currently on the call stack so that a re-entry via a symlink does
-// not loop. Entries are removed when the call returns, so the same
-// directory may be copied again through a different symlink — this is
-// intentional (both link sites need the content).
-func copyResolvedDir(srcDir, dstDir string, visited map[string]bool) error {
+// copyDir recursively copies srcDir into dstDir, resolving all
+// symlinks. srcDir must already be fully resolved (no symlink
+// components). If confineRoot is non-empty, every symlink target must
+// resolve within confineRoot; a violation fails the call. visited is a
+// stack-based cycle breaker: directories currently on the call stack
+// are skipped to prevent infinite loops from symlink cycles. Entries
+// are removed when the call returns, so the same directory may be
+// copied again through a different symlink — this is intentional
+// (both link sites need the content).
+func copyDir(confineRoot, srcDir, dstDir string, visited map[string]bool) error {
 	if visited[srcDir] {
 		return nil
 	}
@@ -150,74 +153,36 @@ func copyResolvedDir(srcDir, dstDir string, visited map[string]bool) error {
 		srcPath := filepath.Join(srcDir, entry.Name())
 		dstPath := filepath.Join(dstDir, entry.Name())
 
-		realPath, err := filepath.EvalSymlinks(srcPath)
-		if err != nil {
-			return fmt.Errorf("resolving symlink %s: %w", srcPath, err)
-		}
-		realInfo, err := os.Stat(realPath)
-		if err != nil {
-			return fmt.Errorf("stat resolved path %s: %w", realPath, err)
-		}
+		isLink := entry.Type()&os.ModeSymlink != 0
 
-		if realInfo.IsDir() {
-			if err := os.MkdirAll(dstPath, realInfo.Mode()); err != nil {
-				return err
+		realPath := srcPath
+		if isLink {
+			realPath, err = filepath.EvalSymlinks(srcPath)
+			if err != nil {
+				return fmt.Errorf("resolving symlink %s: %w", srcPath, err)
 			}
-			if err := copyResolvedDir(realPath, dstPath, visited); err != nil {
-				return err
+			// Report the logical path, not the resolved target,
+			// to avoid leaking filesystem layout.
+			if confineRoot != "" && !isWithin(confineRoot, realPath) {
+				return fmt.Errorf("symlink %s resolves outside rootDir", srcPath)
 			}
-			continue
-		}
-
-		if !realInfo.Mode().IsRegular() {
-			continue
 		}
 
-		if err := copyResolvedFile(realPath, dstPath, realInfo.Mode()); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// copyConfinedDir is the root-confined equivalent of copyResolvedDir.
-// srcDir is assumed already resolved and already verified as within
-// realRoot. visited is a stack-based cycle breaker (see copyResolvedDir).
-func copyConfinedDir(realRoot, srcDir, dstDir string, visited map[string]bool) error {
-	if visited[srcDir] {
-		return nil
-	}
-	visited[srcDir] = true
-	defer delete(visited, srcDir)
-
-	entries, err := os.ReadDir(srcDir)
-	if err != nil {
-		return err
-	}
-
-	for _, entry := range entries {
-		srcPath := filepath.Join(srcDir, entry.Name())
-		dstPath := filepath.Join(dstDir, entry.Name())
-
-		realPath, err := filepath.EvalSymlinks(srcPath)
-		if err != nil {
-			return fmt.Errorf("resolving %s: %w", srcPath, err)
-		}
-		// Report the logical path of the offending symlink, not the
-		// resolved target, to avoid leaking filesystem layout.
-		if !isWithin(realRoot, realPath) {
-			return fmt.Errorf("symlink %s resolves outside rootDir", srcPath)
+		var realInfo os.FileInfo
+		if isLink {
+			realInfo, err = os.Stat(realPath)
+		} else {
+			realInfo, err = entry.Info()
 		}
-		realInfo, err := os.Stat(realPath)
 		if err != nil {
 			return fmt.Errorf("stat %s: %w", realPath, err)
 		}
 
 		if realInfo.IsDir() {
-			if err := os.MkdirAll(dstPath, realInfo.Mode()); err != nil {
+			if err = os.MkdirAll(dstPath, realInfo.Mode()); err != nil {
 				return err
 			}
-			if err := copyConfinedDir(realRoot, realPath, dstPath, visited); err != nil {
+			if err = copyDir(confineRoot, realPath, dstPath, visited); err != nil {
 				return err
 			}
 			continue
@@ -227,7 +192,7 @@ func copyConfinedDir(realRoot, srcDir, dstDir string, visited map[string]bool) e
 			continue
 		}
 
-		if err := copyResolvedFile(realPath, dstPath, realInfo.Mode()); err != nil {
+		if err = copyResolvedFile(realPath, dstPath, realInfo.Mode()); err != nil {
 			return err
 		}
 	}
diff --git a/tar/tar.go b/tar/tar.go
@@ -21,6 +21,7 @@ import (
 	"compress/gzip"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"time"
@@ -44,34 +45,43 @@ func Tar(dir string, w io.Writer, opts ...Option) (int64, error) {
 		return 0, err
 	}
 
-	if fi, err := os.Stat(absDir); err != nil {
+	fi, err := os.Stat(absDir)
+	if err != nil {
 		return 0, fmt.Errorf("invalid dir path %s: %w", absDir, err)
-	} else if !fi.IsDir() {
+	}
+	if !fi.IsDir() {
 		return 0, fmt.Errorf("not a directory: %s", absDir)
 	}
 
 	cw := &countWriter{w: w}
 
-	var gw *gzip.Writer
 	var tw *tar.Writer
+	var closers []io.Closer
 	if o.skipGzip {
 		tw = tar.NewWriter(cw)
+		closers = []io.Closer{tw}
 	} else {
-		gw = gzip.NewWriter(cw)
+		gw := gzip.NewWriter(cw)
 		tw = tar.NewWriter(gw)
+		closers = []io.Closer{tw, gw}
 	}
 
 	buf := make([]byte, bufferSize)
-	if err := filepath.Walk(absDir, func(p string, fi os.FileInfo, err error) error {
+	walkErr := filepath.WalkDir(absDir, func(p string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 
 		// Skip symlinks and other non-regular, non-directory entries.
-		if m := fi.Mode(); !(m.IsRegular() || m.IsDir()) {
+		if t := d.Type(); !t.IsRegular() && !t.IsDir() {
 			return nil
 		}
 
+		fi, err := d.Info()
+		if err != nil {
+			return err
+		}
+
 		if o.filter != nil && o.filter(p, fi) {
 			return nil
 		}
@@ -96,7 +106,7 @@ func Tar(dir string, w io.Writer, opts ...Option) (int64, error) {
 		header.AccessTime = time.Time{}
 		header.ChangeTime = time.Time{}
 
-		if err := tw.WriteHeader(header); err != nil {
+		if err = tw.WriteHeader(header); err != nil {
 			return err
 		}
 
@@ -113,27 +123,14 @@ func Tar(dir string, w io.Writer, opts ...Option) (int64, error) {
 			err = closeErr
 		}
 		return err
-	}); err != nil {
-		_ = tw.Close()
-		if gw != nil {
-			_ = gw.Close()
-		}
-		return cw.n, err
-	}
+	})
 
-	if err := tw.Close(); err != nil {
-		if gw != nil {
-			_ = gw.Close()
+	for _, c := range closers {
+		if closeErr := c.Close(); closeErr != nil && walkErr == nil {
+			walkErr = closeErr
 		}
-		return cw.n, err
 	}
-	if gw != nil {
-		if err := gw.Close(); err != nil {
-			return cw.n, err
-		}
-	}
-
-	return cw.n, nil
+	return cw.n, walkErr
 }
 
 // countWriter wraps an io.Writer and counts the bytes written.
diff --git a/tar/untar.go b/tar/untar.go
@@ -47,7 +47,7 @@ const (
 // If dir is a relative path, it cannot ascend from the current working
 // directory. If dir exists, it must be a directory; otherwise it is
 // created.
-func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {
+func Untar(r io.Reader, dir string, inOpts ...Option) error {
 	opts := tarOpts{
 		maxUntarSize: DefaultMaxUntarSize,
 	}
@@ -60,8 +60,7 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {
 			return err
 		}
 
-		dir, err = securejoin.SecureJoin(cwd, dir)
-		if err != nil {
+		if dir, err = securejoin.SecureJoin(cwd, dir); err != nil {
 			return err
 		}
 	}
@@ -77,35 +76,33 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {
 	}
 
 	madeDir := map[string]bool{}
-	var tr *tar.Reader
-	if opts.skipGzip {
-		tr = tar.NewReader(r)
-	} else {
-		zr, err := gzip.NewReader(r)
+
+	var rc = io.NopCloser(r)
+	if !opts.skipGzip {
+		var err error
+		rc, err = gzip.NewReader(r)
 		if err != nil {
 			return fmt.Errorf("requires gzip-compressed body: %w", err)
 		}
-
-		tr = tar.NewReader(zr)
 	}
+	tr := tar.NewReader(rc)
 
-	processedBytes := 0
+	var processedBytes int64
 	t0 := time.Now()
 
-	// For improved concurrency, this could be optimised by sourcing
-	// the buffer from a sync.Pool.
+	// Reuse a single buffer for all file copies.
 	buf := make([]byte, bufferSize)
 	for {
 		f, err := tr.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
 		}
 		if err != nil {
 			return fmt.Errorf("tar error: %w", err)
 		}
-		processedBytes += int(f.Size)
+		processedBytes += f.Size
 		if opts.maxUntarSize > UnlimitedUntarSize &&
-			processedBytes > opts.maxUntarSize {
+			processedBytes > int64(opts.maxUntarSize) {
 			return fmt.Errorf("tar %q is bigger than max archive size of %d bytes", f.Name, opts.maxUntarSize)
 		}
 		if !validRelPath(f.Name) {
@@ -127,12 +124,12 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {
 			// already be made by a directory entry in the tar
 			// beforehand. Thus, don't check for errors; the next
 			// write will fail with the same error.
-			dir := filepath.Dir(abs)
-			if !madeDir[dir] {
-				if err := os.MkdirAll(filepath.Dir(abs), 0o750); err != nil {
+			parentDir := filepath.Dir(abs)
+			if !madeDir[parentDir] {
+				if err := os.MkdirAll(parentDir, 0o750); err != nil {
 					return err
 				}
-				madeDir[dir] = true
+				madeDir[parentDir] = true
 			}
 			if runtime.GOOS == "darwin" && mode&0111 != 0 {
 				// The darwin kernel caches binary signatures
@@ -146,13 +143,13 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {
 					return err
 				}
 			}
-			wf, err := os.OpenFile(abs, os.O_RDWR|os.O_CREATE|os.O_TRUNC, mode.Perm())
+			wf, err := os.OpenFile(abs, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, mode.Perm())
 			if err != nil {
 				return err
 			}
 
 			n, err := copyBuffer(wf, tr, buf)
-			if err != nil && err != io.EOF {
+			if err != nil && !errors.Is(err, io.EOF) {
 				return fmt.Errorf("error copying buffer: %w", err)
 			}
 
@@ -194,7 +191,7 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {
 			return fmt.Errorf("tar file entry %s contained unsupported file type %v", f.Name, mode)
 		}
 	}
-	return nil
+	return rc.Close()
 }
 
 // Uses a variant of io.CopyBuffer which ensures that a buffer is being used.
@@ -211,11 +208,13 @@ func copyBuffer(dst io.Writer, src io.Reader, buf []byte) (written int64, err er
 	for {
 		nr, er := src.Read(buf)
 		if nr > 0 {
-			nw, ew := dst.Write(buf[0:nr])
+			nw, ew := dst.Write(buf[:nr])
+			// Guard against a broken Writer: negative byte count
+			// or claiming more bytes written than provided.
 			if nw < 0 || nr < nw {
 				nw = 0
 				if ew == nil {
-					ew = fmt.Errorf("errInvalidWrite")
+					ew = errors.New("invalid write result")
 				}
 			}
 			written += int64(nw)
@@ -229,7 +228,7 @@ func copyBuffer(dst io.Writer, src io.Reader, buf []byte) (written int64, err er
 			}
 		}
 		if er != nil {
-			if er != io.EOF {
+			if !errors.Is(er, io.EOF) {
 				err = er
 			}
 			break

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ const (`
`47`	`47`	`// If dir is a relative path, it cannot ascend from the current working`
`48`	`48`	`// directory. If dir exists, it must be a directory; otherwise it is`
`49`	`49`	`// created.`
`50`		`-func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {`
	`50`	`+func Untar(r io.Reader, dir string, inOpts ...Option) error {`
`51`	`51`	`opts := tarOpts{`
`52`	`52`	`maxUntarSize: DefaultMaxUntarSize,`
`53`	`53`	`}`
`@@ -60,8 +60,7 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {`
`60`	`60`	`return err`
`61`	`61`	`}`
`62`	`62`
`63`		`- dir, err = securejoin.SecureJoin(cwd, dir)`
`64`		`- if err != nil {`
	`63`	`+ if dir, err = securejoin.SecureJoin(cwd, dir); err != nil {`
`65`	`64`	`return err`
`66`	`65`	`}`
`67`	`66`	`}`
`@@ -77,35 +76,33 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {`
`77`	`76`	`}`
`78`	`77`
`79`	`78`	`madeDir := map[string]bool{}`
`80`		`- var tr *tar.Reader`
`81`		`- if opts.skipGzip {`
`82`		`- tr = tar.NewReader(r)`
`83`		`- } else {`
`84`		`- zr, err := gzip.NewReader(r)`
	`79`	`+`
	`80`	`+ var rc = io.NopCloser(r)`
	`81`	`+ if !opts.skipGzip {`
	`82`	`+ var err error`
	`83`	`+ rc, err = gzip.NewReader(r)`
`85`	`84`	`if err != nil {`
`86`	`85`	`return fmt.Errorf("requires gzip-compressed body: %w", err)`
`87`	`86`	`}`
`88`		`-`
`89`		`- tr = tar.NewReader(zr)`
`90`	`87`	`}`
	`88`	`+ tr := tar.NewReader(rc)`
`91`	`89`
`92`		`- processedBytes := 0`
	`90`	`+ var processedBytes int64`
`93`	`91`	`t0 := time.Now()`
`94`	`92`
`95`		`- // For improved concurrency, this could be optimised by sourcing`
`96`		`- // the buffer from a sync.Pool.`
	`93`	`+ // Reuse a single buffer for all file copies.`
`97`	`94`	`buf := make([]byte, bufferSize)`
`98`	`95`	`for {`
`99`	`96`	`f, err := tr.Next()`
`100`		`- if err == io.EOF {`
	`97`	`+ if errors.Is(err, io.EOF) {`
`101`	`98`	`break`
`102`	`99`	`}`
`103`	`100`	`if err != nil {`
`104`	`101`	`return fmt.Errorf("tar error: %w", err)`
`105`	`102`	`}`
`106`		`- processedBytes += int(f.Size)`
	`103`	`+ processedBytes += f.Size`
`107`	`104`	`if opts.maxUntarSize > UnlimitedUntarSize &&`
`108`		`- processedBytes > opts.maxUntarSize {`
	`105`	`+ processedBytes > int64(opts.maxUntarSize) {`
`109`	`106`	`return fmt.Errorf("tar %q is bigger than max archive size of %d bytes", f.Name, opts.maxUntarSize)`
`110`	`107`	`}`
`111`	`108`	`if !validRelPath(f.Name) {`
`@@ -127,12 +124,12 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {`
`127`	`124`	`// already be made by a directory entry in the tar`
`128`	`125`	`// beforehand. Thus, don't check for errors; the next`
`129`	`126`	`// write will fail with the same error.`
`130`		`- dir := filepath.Dir(abs)`
`131`		`- if !madeDir[dir] {`
`132`		`- if err := os.MkdirAll(filepath.Dir(abs), 0o750); err != nil {`
	`127`	`+ parentDir := filepath.Dir(abs)`
	`128`	`+ if !madeDir[parentDir] {`
	`129`	`+ if err := os.MkdirAll(parentDir, 0o750); err != nil {`
`133`	`130`	`return err`
`134`	`131`	`}`
`135`		`- madeDir[dir] = true`
	`132`	`+ madeDir[parentDir] = true`
`136`	`133`	`}`
`137`	`134`	`if runtime.GOOS == "darwin" && mode&0111 != 0 {`
`138`	`135`	`// The darwin kernel caches binary signatures`
`@@ -146,13 +143,13 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {`
`146`	`143`	`return err`
`147`	`144`	`}`
`148`	`145`	`}`
`149`		`- wf, err := os.OpenFile(abs, os.O_RDWR\|os.O_CREATE\|os.O_TRUNC, mode.Perm())`
	`146`	`+ wf, err := os.OpenFile(abs, os.O_WRONLY\|os.O_CREATE\|os.O_TRUNC, mode.Perm())`
`150`	`147`	`if err != nil {`
`151`	`148`	`return err`
`152`	`149`	`}`
`153`	`150`
`154`	`151`	`n, err := copyBuffer(wf, tr, buf)`
`155`		`- if err != nil && err != io.EOF {`
	`152`	`+ if err != nil && !errors.Is(err, io.EOF) {`
`156`	`153`	`return fmt.Errorf("error copying buffer: %w", err)`
`157`	`154`	`}`
`158`	`155`
`@@ -194,7 +191,7 @@ func Untar(r io.Reader, dir string, inOpts ...Option) (err error) {`
`194`	`191`	`return fmt.Errorf("tar file entry %s contained unsupported file type %v", f.Name, mode)`
`195`	`192`	`}`
`196`	`193`	`}`
`197`		`- return nil`
	`194`	`+ return rc.Close()`
`198`	`195`	`}`
`199`	`196`
`200`	`197`	`// Uses a variant of io.CopyBuffer which ensures that a buffer is being used.`
`@@ -211,11 +208,13 @@ func copyBuffer(dst io.Writer, src io.Reader, buf []byte) (written int64, err er`
`211`	`208`	`for {`
`212`	`209`	`nr, er := src.Read(buf)`
`213`	`210`	`if nr > 0 {`
`214`		`- nw, ew := dst.Write(buf[0:nr])`
	`211`	`+ nw, ew := dst.Write(buf[:nr])`
	`212`	`+ // Guard against a broken Writer: negative byte count`
	`213`	`+ // or claiming more bytes written than provided.`
`215`	`214`	`if nw < 0 \|\| nr < nw {`
`216`	`215`	`nw = 0`
`217`	`216`	`if ew == nil {`
`218`		`- ew = fmt.Errorf("errInvalidWrite")`
	`217`	`+ ew = errors.New("invalid write result")`
`219`	`218`	`}`
`220`	`219`	`}`
`221`	`220`	`written += int64(nw)`
`@@ -229,7 +228,7 @@ func copyBuffer(dst io.Writer, src io.Reader, buf []byte) (written int64, err er`
`229`	`228`	`}`
`230`	`229`	`}`
`231`	`230`	`if er != nil {`
`232`		`- if er != io.EOF {`
	`231`	`+ if !errors.Is(er, io.EOF) {`
`233`	`232`	`err = er`
`234`	`233`	`}`
`235`	`234`	`break`