snyk
diff --git a/‎lib/extractor/decompress-maybe.ts‎
Lines changed: 154 additions & 0 deletions b/‎lib/extractor/decompress-maybe.ts‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎lib/extractor/index.ts‎
Lines changed: 17 additions & 14 deletions b/‎lib/extractor/index.ts‎
Lines changed: 17 additions & 14 deletions
diff --git a/‎lib/extractor/layer.ts‎
Lines changed: 6 additions & 3 deletions b/‎lib/extractor/layer.ts‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎lib/extractor/oci-archive/layer.ts‎
Lines changed: 9 additions & 3 deletions b/‎lib/extractor/oci-archive/layer.ts‎
Lines changed: 9 additions & 3 deletions
@@ -0,0 +1,154 @@
+import { Decompress as ZstdDecompress } from "fzstd";
+import { Transform } from "stream";
+import { createGunzip } from "zlib";
+
+/**
+ * Creates a transform stream that automatically detects and decompresses data based on magic numbers.
+ *
+ * Supports three formats:
+ * - gzip (magic: 1f 8b) - Streamed through Node.js built-in zlib
+ * - zstd (magic: 28 b5 2f fd) - Streamed through fzstd library
+ * - uncompressed - Passed through unchanged
+ *
+ * Both gzip and zstd use streaming decompression to avoid buffering entire layers in memory.
+ * This is critical for handling large image layers (multiple GB) without excessive memory usage.
+ *
+ * OCI images from containerd may use zstd compression, while older Docker archives use gzip.
+ * Manifest and config files within OCI archives are typically uncompressed JSON.
+ *
+ * Named after the gunzip-maybe library, which only handled gzip detection.
+ */
+export function decompressMaybe(): Transform {
+  let headerRead = false;
+  let compressionType: "gzip" | "zstd" | "none" | null = null;
+  let gzipStream: Transform | null = null;
+  let zstdStream: ZstdDecompress | null = null;
+  const buffer: Buffer[] = [];
+
+  const transform = new Transform({
+    transform(chunk: Buffer, _encoding, callback) {
+      if (!headerRead) {
+        buffer.push(chunk);
+        const combined = Buffer.concat(buffer);
+
+        // Check for gzip magic number (1f 8b)
+        if (
+          combined.length >= 2 &&
+          combined[0] === 0x1f &&
+          combined[1] === 0x8b
+        ) {
+          compressionType = "gzip";
+          headerRead = true;
+
+          // Setup gzip decompressor
+          gzipStream = createGunzip();
+          gzipStream.on("data", (data: Buffer) => transform.push(data));
+          gzipStream.on("error", (err: Error) => transform.destroy(err));
+
+          // Write buffered data
+          gzipStream.write(combined);
+          buffer.length = 0;
+          callback();
+        }
+        // Check for zstd magic number (28 b5 2f fd)
+        else if (
+          combined.length >= 4 &&
+          combined[0] === 0x28 &&
+          combined[1] === 0xb5 &&
+          combined[2] === 0x2f &&
+          combined[3] === 0xfd
+        ) {
+          compressionType = "zstd";
+          headerRead = true;
+
+          // Setup zstd decompressor with streaming API
+          zstdStream = new ZstdDecompress(
+            (data: Uint8Array, final?: boolean) => {
+              transform.push(Buffer.from(data));
+            },
+          );
+
+          // Write buffered data
+          try {
+            zstdStream.push(new Uint8Array(combined), false);
+          } catch (err) {
+            callback(
+              new Error(
+                `zstd decompression failed: ${
+                  err instanceof Error ? err.message : String(err)
+                }`,
+              ),
+            );
+            return;
+          }
+          buffer.length = 0;
+          callback();
+        }
+        // After 8 bytes, assume uncompressed
+        else if (combined.length >= 8) {
+          compressionType = "none";
+          headerRead = true;
+
+          // Push buffered data as-is
+          this.push(combined);
+          buffer.length = 0;
+          callback();
+        } else {
+          // Need more data
+          callback();
+        }
+      } else {
+        // Header already read
+        if (compressionType === "gzip" && gzipStream) {
+          gzipStream.write(chunk);
+          callback();
+        } else if (compressionType === "zstd" && zstdStream) {
+          try {
+            zstdStream.push(new Uint8Array(chunk), false);
+            callback();
+          } catch (err) {
+            callback(
+              new Error(
+                `zstd decompression failed: ${
+                  err instanceof Error ? err.message : String(err)
+                }`,
+              ),
+            );
+          }
+        } else {
+          // No compression
+          callback(null, chunk);
+        }
+      }
+    },
+
+    async flush(callback) {
+      if (compressionType === "gzip" && gzipStream) {
+        gzipStream.once("end", () => callback());
+        gzipStream.end();
+      } else if (compressionType === "zstd" && zstdStream) {
+        // Signal end of zstd stream
+        try {
+          zstdStream.push(new Uint8Array(0), true);
+          callback();
+        } catch (err) {
+          callback(
+            new Error(
+              `zstd decompression failed: ${
+                err instanceof Error ? err.message : String(err)
+              }`,
+            ),
+          );
+        }
+      } else if (!headerRead && buffer.length > 0) {
+        // Stream ended before determining compression, assume uncompressed
+        this.push(Buffer.concat(buffer));
+        callback();
+      } else {
+        callback();
+      }
+    },
+  });
+
+  return transform;
+}
@@ -117,21 +117,24 @@ export async function extractImageContent(
   let archiveContent: ExtractedLayersAndManifest;
 
   if (!extractors.has(imageType)) {
-    // default to Docker extractor if image type is unknown
-    imageType = ImageType.DockerArchive;
-  }
-  extractor = extractors.get(imageType) as ArchiveExtractor;
+    // Unknown image type - try all extractors to auto-detect format
+    [archiveContent, extractor] = await extractArchiveContentFallback(
+      extractors,
+    );
+  } else {
+    extractor = extractors.get(imageType) as ArchiveExtractor;
 
-  try {
-    archiveContent = await extractor.getLayersAndManifest();
-  } catch (err) {
-    if (err instanceof InvalidArchiveError) {
-      // fallback to the other extractor if layer extraction failed
-      [archiveContent, extractor] = await extractArchiveContentFallback(
-        extractors,
-      );
-    } else {
-      throw err;
+    try {
+      archiveContent = await extractor.getLayersAndManifest();
+    } catch (err) {
+      if (err instanceof InvalidArchiveError) {
+        // fallback to the other extractor if layer extraction failed
+        [archiveContent, extractor] = await extractArchiveContentFallback(
+          extractors,
+        );
+      } else {
+        throw err;
+      }
     }
   }
 
 
@@ -1,16 +1,19 @@
 import * as Debug from "debug";
-import * as gunzip from "gunzip-maybe";
 import * as path from "path";
 import { Readable } from "stream";
 import { extract, Extract } from "tar-stream";
 import { isWhitedOutFile } from ".";
 import { applyCallbacks, isResultEmpty } from "./callbacks";
+import { decompressMaybe } from "./decompress-maybe";
 import { ExtractAction, ExtractedLayers } from "./types";
 
 const debug = Debug("snyk");
 
 /**
  * Extract key files from the specified TAR stream.
+ *
+ * Layer streams may be compressed with gzip, zstd, or uncompressed.
+ * The decompressMaybe transform handles all three formats automatically.
  * @param layerTarStream image layer as a Readable TAR stream. Note: consumes the stream.
  * @param extractActions array of pattern, callbacks pairs
  * @returns extracted file products
@@ -36,7 +39,6 @@ export async function extractImageLayer(
               stream,
               headers.size,
             );
-
             if (
               !isResultEmpty(callbackResult) ||
               isWhitedOutFile(absoluteFileName)
@@ -49,6 +51,7 @@ export async function extractImageLayer(
               `Exception thrown while applying callbacks during image layer extraction: ${error.message}`,
             );
             reject(error);
+            return;
           }
         } else if (isWhitedOutFile(absoluteFileName)) {
           result[absoluteFileName] = {};
@@ -66,6 +69,6 @@ export async function extractImageLayer(
 
     tarExtractor.on("error", (error) => reject(error));
 
-    layerTarStream.pipe(gunzip()).pipe(tarExtractor);
+    layerTarStream.pipe(decompressMaybe()).pipe(tarExtractor);
   });
 }
@@ -1,12 +1,12 @@
 import * as Debug from "debug";
 import { createReadStream } from "fs";
-import * as gunzip from "gunzip-maybe";
 import { normalize as normalizePath, sep as pathSeparator } from "path";
 import { PassThrough } from "stream";
 import { extract, Extract } from "tar-stream";
 import { getPlatformFromConfig, InvalidArchiveError } from "..";
 import { streamToJson } from "../../stream-utils";
 import { PluginOptions } from "../../types";
+import { decompressMaybe } from "../decompress-maybe";
 import { extractImageLayer } from "../layer";
 import {
   ExtractAction,
@@ -30,6 +30,12 @@ const MEDIATYPE_OCI_MANIFEST_LIST_V1 =
 
 /**
  * Retrieve the products of files content from the specified oci-archive.
+ *
+ * OCI archives contain multiple blobs (configs, manifests, layers). For each blob,
+ * we attempt to parse it as both JSON (for configs/manifests) and as a compressed layer
+ * tarball. Most attempts will fail gracefully (a layer isn't valid JSON, a manifest isn't
+ * a valid tarball), which is expected behavior.
+ *
  * @param ociArchiveFilesystemPath Path to image file saved in oci-archive format.
  * @param extractActions Array of pattern-callbacks pairs.
  * @param options PluginOptions
@@ -79,7 +85,7 @@ export async function extractArchive(
           } else if (isImageIndexFile(manifest)) {
             indexFiles[digest] = manifest as OciImageIndex;
           } else if (isImageConfigFile(manifest)) {
-            configs.push(manifest);
+            configs.push(manifest as ImageConfig);
           }
           if (layer !== undefined) {
             layers[digest] = layer as ExtractedLayers;
@@ -116,7 +122,7 @@ export async function extractArchive(
     });
 
     createReadStream(ociArchiveFilesystemPath)
-      .pipe(gunzip())
+      .pipe(decompressMaybe())
       .pipe(tarExtractor);
   });
 }