fix:Set default permission in artifact archive executable files

Signed-off-by: Rashed Kamal <krashed@vmware.com>
fluxcd · May 11, 2023 · 49f731b · 49f731b
1 parent 5c5b822
commit 49f731b
Showing 1 changed file with 25 additions and 2 deletions.
diff --git a/internal/controller/storage.go b/internal/controller/storage.go
@@ -48,10 +48,12 @@ import (
 const GarbageCountLimit = 1000
 
 const (
-	// defaultFileMode is the permission mode applied to all files inside an artifact archive.
+	// defaultFileMode is the permission mode applied to files inside an artifact archive.
 	defaultFileMode int64 = 0o644
 	// defaultDirMode is the permission mode applied to all directories inside an artifact archive.
 	defaultDirMode int64 = 0o755
+	// defaultExeFileMode is the permission mode applied to executable files inside an artifact archive.
+	defaultExeFileMode int64 = 0o744
 )
 
 // Storage manages artifacts
@@ -445,7 +447,15 @@ func (s Storage) Archive(artifact *v1.Artifact, dir string, filter ArchiveFileFi
 		header.ModTime = time.Time{}
 		header.AccessTime = time.Time{}
 		header.ChangeTime = time.Time{}
-		header.Mode = defaultFileMode
+
+		if fi.Mode().IsRegular() {
+			if isExecutableFile(relFilePath, header) {
+				header.Mode = defaultExeFileMode
+			} else {
+				header.Mode = defaultFileMode
+			}
+		}
+
 		if fi.Mode().IsDir() {
 			header.Mode = defaultDirMode
 		}
@@ -689,3 +699,16 @@ func (wc *writeCounter) Write(p []byte) (int, error) {
 	wc.written += int64(n)
 	return n, nil
 }
+
+// checks if file is executable
+func isExecutableFile(path string, header *tar.Header) bool {
+	if header.FileInfo().IsDir() {
+		return false
+	}
+	mode := header.FileInfo().Mode()
+	if mode&os.ModeType == 0 && mode&0o111 != 0 {
+		// Regular files with executable bit set
+		return true
+	}
+	return false
+}