Skip to content

Instantly share code, notes, and snippets.

@tianon

tianon/.gitignore

Last active January 9, 2026 01:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tianon/d7b3fc1dcd6eaf84390f6ea479d67f4e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tianon/d7b3fc1dcd6eaf84390f6ea479d67f4e to your computer and use it in GitHub Desktop.
Download ZIP
BAD TARBALLS (inspired by and including https://github.com/opencontainers/image-spec/issues/1301) -- see https://oci.dag.dev/?repo=tianon/test (tags starting with "badtars")
Raw
build.sh
#!/usr/bin/env bash
set -Eeuo pipefail -x
for go in *.go; do
go run "$go" > "${go%.go}.tar"
done
Raw
duplicate-members.go
package main
import (
"archive/tar"
"os"
)
func main() {
contents := []byte(`BAD TARBALL (to the tune of "BAD ROBOT")` + "\n\n")
for i := 0; i < 10; i++ {
tw := tar.NewWriter(os.Stdout)
if err := tw.WriteHeader(&tar.Header{Name: "duplicate", Size: int64(len(contents))}); err != nil {
panic(err)
}
if _, err := tw.Write(contents); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
}
Raw
duplicate-members.tar
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
duplicate0000000000000000000000000000005200000000000011061 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
Raw
empty-filename.go
package main
import (
"archive/tar"
"os"
)
func main() {
contents := []byte(`BAD TARBALL (to the tune of "BAD ROBOT")` + "\n\n")
tw := tar.NewWriter(os.Stdout)
if err := tw.WriteHeader(&tar.Header{Size: int64(len(contents))}); err != nil {
panic(err)
}
if _, err := tw.Write(contents); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
Raw
empty-filename.tar
0000000000000000000000000000005200000000000007166 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
Raw
html.go
package main
import (
"archive/tar"
"os"
)
func main() {
contents := []byte(`BAD TARBALL (to the tune of "BAD ROBOT")` + "\n\n")
tw := tar.NewWriter(os.Stdout)
if err := tw.WriteHeader(&tar.Header{Name: "I <strong>heart</strong> <em>HTML</em> <br> <hr> <br> &nbsp;", Size: int64(len(contents))}); err != nil {
panic(err)
}
if _, err := tw.Write(contents); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
Raw
html.tar
I <strong>heart</strong> <em>HTML</em> <br> <hr> <br> &nbsp;0000000000000000000000000000005200000000000020760 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
Raw
invalid-utf8.go
package main
import (
"archive/tar"
"os"
)
func main() {
contents := []byte(`BAD TARBALL (to the tune of "BAD ROBOT")` + "\n\n")
tw := tar.NewWriter(os.Stdout)
if err := tw.WriteHeader(&tar.Header{Name: string([]byte{0x80}), Size: int64(len(contents))}); err != nil {
panic(err)
}
if _, err := tw.Write(contents); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
Raw
invalid-whiteout.go
package main
import (
"archive/tar"
"os"
)
func main() {
tw := tar.NewWriter(os.Stdout)
// https://github.com/opencontainers/image-spec/issues/1301
if err := tw.WriteHeader(&tar.Header{Name: ".wh."}); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
Raw
invalid-whiteout.tar
.wh.0000000000000000000000000000000000000000000007652 0ustar0000000000000000
Raw
missing-contents.go
package main
import (
"archive/tar"
"os"
)
func main() {
tw := tar.NewWriter(os.Stdout)
if err := tw.WriteHeader(&tar.Header{Name: "truncated", Size: 42}); err != nil {
panic(err)
}
}
Raw
missing-contents.tar
truncated0000000000000000000000000000005200000000000011100 0ustar0000000000000000
Raw
newline.go
package main
import (
"archive/tar"
"os"
)
func main() {
contents := []byte(`BAD TARBALL (to the tune of "BAD ROBOT")` + "\n\n")
tw := tar.NewWriter(os.Stdout)
if err := tw.WriteHeader(&tar.Header{Name: "bad\ntarball", Size: int64(len(contents))}); err != nil {
panic(err)
}
if _, err := tw.Write(contents); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
Raw
newline.tar
bad
tarball0000000000000000000000000000005200000000000011211 0ustar0000000000000000BAD TARBALL (to the tune of "BAD ROBOT")
Raw
oci.sh
#!/usr/bin/env bash
set -Eeuo pipefail
# assumes https://gist.github.com/tianon/35528d9851ebf0b0767c04cec5e01bcf are in PATH
command -v oci-init
rm -rf oci
mkdir oci
( cd oci && oci-init )
for tar in *.tar; do
name="${tar%.tar}"
img="tianon/test:badtars-$name"
export name img
echo "- $img"
blob="$(exec < "$tar" && cd oci && oci-put)"
export blob
go="$(< "$name.go")"
export go
config="$(cd oci && jq -n --tab '{
history: [ {
created_by: env.go,
} ],
rootfs: {
type: "layers",
diff_ids: [ env.blob | fromjson | .digest ],
},
os: "linux",
architecture: "amd64",
}' | oci-put)"
export config
manifest="$(cd oci && jq -n --tab '{
schemaVersion: 2,
mediaType: "application/vnd.oci.image.manifest.v1+json",
config: (env.config | fromjson | .mediaType = "application/vnd.oci.image.config.v1+json"),
layers: [ env.blob | fromjson | .mediaType = "application/vnd.oci.image.layer.v1.tar" ],
annotations: {
"org.opencontainers.image.url": "https://gist.github.com/tianon/d7b3fc1dcd6eaf84390f6ea479d67f4e",
"org.opencontainers.image.version": env.name,
"org.opencontainers.image.source": env.go,
},
}' | oci-put)"
export manifest
jq --tab '
.manifests += [
env.manifest
| fromjson
| .mediaType = "application/vnd.oci.image.manifest.v1+json"
| .annotations += {
"org.opencontainers.image.ref.name": env.img,
}
]
' oci/index.json > oci/index.json.new
mv oci/index.json.new oci/index.json
done
# jq --raw-output '.manifests[] | @sh "regctl-0.11.1 image copy \("ocidir://oci:" + (.annotations["org.opencontainers.image.ref.name"] | split(":")[-1])) \(.annotations["org.opencontainers.image.ref.name"])\n"' oci/index.json | bash -Eeuo pipefail -x
Raw
overlong-utf8.go
package main
import (
"archive/tar"
"os"
)
func main() {
contents := []byte(`BAD TARBALL (to the tune of "BAD ROBOT")` + "\n\n")
tw := tar.NewWriter(os.Stdout)
// thank you paultag
if err := tw.WriteHeader(&tar.Header{Name: string([]byte{0xc0, 0xa0}), Size: int64(len(contents))}); err != nil {
panic(err)
}
if _, err := tw.Write(contents); err != nil {
panic(err)
}
if err := tw.Flush(); err != nil {
panic(err)
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment