fix: adds support for OCI images with embedded attestations

pecodez · pecodez · commit 987ebfb42fb9 · 2026-02-25T18:49:53.000Z
diff --git a/lib/extractor/decompress-maybe.ts b/lib/extractor/decompress-maybe.ts
@@ -40,13 +40,16 @@ export function decompressMaybe(): Transform {
           compressionType = "gzip";
           headerRead = true;
 
-          // Setup gzip decompressor
           gzipStream = createGunzip();
           gzipStream.on("data", (data: Buffer) => transform.push(data));
           gzipStream.on("error", (err: Error) => transform.destroy(err));
 
-          // Write buffered data
-          gzipStream.write(combined);
+          try {
+            gzipStream.write(combined);
+          } catch (err) {
+            callback(err instanceof Error ? err : new Error(String(err)));
+            return;
+          }
           buffer.length = 0;
           callback();
         }
@@ -61,14 +64,12 @@ export function decompressMaybe(): Transform {
           compressionType = "zstd";
           headerRead = true;
 
-          // Setup zstd decompressor with streaming API
           zstdStream = new ZstdDecompress(
             (data: Uint8Array, final?: boolean) => {
               transform.push(Buffer.from(data));
             },
           );
 
-          // Write buffered data
           try {
             zstdStream.push(new Uint8Array(combined), false);
           } catch (err) {
@@ -100,7 +101,12 @@ export function decompressMaybe(): Transform {
       } else {
         // Header already read
         if (compressionType === "gzip" && gzipStream) {
-          gzipStream.write(chunk);
+          try {
+            gzipStream.write(chunk);
+          } catch (err) {
+            callback(err instanceof Error ? err : new Error(String(err)));
+            return;
+          }
           callback();
         } else if (compressionType === "zstd" && zstdStream) {
           try {
@@ -122,12 +128,12 @@ export function decompressMaybe(): Transform {
       }
     },
 
-    async flush(callback) {
+    flush(callback) {
       if (compressionType === "gzip" && gzipStream) {
         gzipStream.once("end", () => callback());
+        gzipStream.once("error", (err) => callback(err));
         gzipStream.end();
       } else if (compressionType === "zstd" && zstdStream) {
-        // Signal end of zstd stream
         try {
           zstdStream.push(new Uint8Array(0), true);
           callback();
diff --git a/lib/extractor/oci-archive/layer.ts b/lib/extractor/oci-archive/layer.ts
@@ -67,10 +67,14 @@ export async function extractArchive(
           stream.pipe(layerStream);
 
           const promises = [
-            streamToJson(jsonStream).catch(() => undefined),
-            extractImageLayer(layerStream, extractActions).catch(
-              () => undefined,
-            ),
+            streamToJson(jsonStream).catch(() => {
+              jsonStream.destroy();
+              return undefined;
+            }),
+            extractImageLayer(layerStream, extractActions).catch(() => {
+              layerStream.destroy();
+              return undefined;
+            }),
           ];
           const [manifest, layer] = await Promise.all(promises);
 
diff --git a/test/fixtures/oci-archives/oci-with-attestations.tar b/test/fixtures/oci-archives/oci-with-attestations.tar
diff --git a/test/lib/extractor/oci-with-attestations.spec.ts b/test/lib/extractor/oci-with-attestations.spec.ts
@@ -0,0 +1,75 @@
+import {
+  extractImageContent,
+} from "../../../lib/extractor";
+import { ImageType } from "../../../lib/types";
+import { getFixture } from "../../util/index";
+
+describe("OCI archive with attestation blobs", () => {
+  const fixture = getFixture("oci-archives/oci-with-attestations.tar");
+  const opts = { platform: "linux/amd64" };
+
+  it("successfully extracts layers without deadlocking on large attestation blobs", async () => {
+    const result = await extractImageContent(
+      ImageType.OciArchive,
+      fixture,
+      [],
+      opts,
+    );
+    expect(result.manifestLayers.length).toBe(1);
+    expect(result.extractedLayers).toBeDefined();
+    expect(result.imageId).toContain("sha256:");
+  });
+
+  it("extracts when image type is unset (fallback path)", async () => {
+    await expect(
+      extractImageContent(0, fixture, [], opts),
+    ).resolves.not.toThrow();
+  });
+
+  it("returns correct platform from image config", async () => {
+    const result = await extractImageContent(
+      ImageType.OciArchive,
+      fixture,
+      [],
+      opts,
+    );
+    expect(result.platform).toBe("linux/amd64");
+  });
+
+  it("returns rootfs layer diff IDs", async () => {
+    const result = await extractImageContent(
+      ImageType.OciArchive,
+      fixture,
+      [],
+      opts,
+    );
+    expect(result.rootFsLayers).toBeDefined();
+    expect(result.rootFsLayers!.length).toBe(1);
+  });
+
+  it("extracts layer file content via extract actions", async () => {
+    const extractActions = [
+      {
+        actionName: "read_hello",
+        filePathMatches: (filePath: string) => filePath.endsWith("hello.txt"),
+        callback: async (stream: NodeJS.ReadableStream) => {
+          const chunks: Buffer[] = [];
+          for await (const chunk of stream) {
+            chunks.push(chunk as Buffer);
+          }
+          return chunks.join("");
+        },
+      },
+    ];
+
+    const result = await extractImageContent(
+      ImageType.OciArchive,
+      fixture,
+      extractActions,
+      opts,
+    );
+
+    const helloContent = result.extractedLayers["/hello.txt"]?.["read_hello"];
+    expect(helloContent).toBe("hello\n");
+  });
+});
