Oras pushes an artifact when uploaded file in the absolute path but fails in pull (tested with azure container registry)

[suganyas]

What happened in your environment?

I am trying to push an OCI artifact or any file to azure container registry using oras and it pushes fine when I set file path as absolute path in cli
Example : oras push acrsscregistrya.azurecr.io/testoras:1.0 --artifact-type exe /Users/suganyasrinivasan/Desktop/requirements.txt:application/exe
But fails while trying to pull it
oras pull acrsscregistrya.azurecr.io/testoras:1.0
But when I push it as relative path or in same directory as file it works fine
Example
cd /Users/suganyasrinivasan/Desktop
oras push acrsscregistrya.azurecr.io/testoras:2.0 --artifact-type exe requirements.txt:application/exe

Attached screenshots for both scenarios

What did you expect to happen?

Oras should fail to push the file or set the path relatively right to pass pulling

The issue is most likely with the annotations set as absolute path and treated as relative in the oras. But not very sure. Like this -
https://github.com/oras-project/oras-py/blob/209c9b98043a00d1b04789cc2967ca7021dc5b2e/oras/oci.py#L49

How can we reproduce it?

Try to push an OCI artifact or any file to azure container registry using oras and it pushes fine when I set file path as absolute path in cli
Example : oras push acrsscregistrya.azurecr.io/testoras:1.0 --artifact-type exe /Users/suganyasrinivasan/Desktop/requirements.txt:application/exe
But fails while trying to pull it
oras pull acrsscregistrya.azurecr.io/testoras:1.0
But when I push it as relative path or in same directory as file it works fine
Example
cd /Users/suganyasrinivasan/Desktop
oras push acrsscregistrya.azurecr.io/testoras:2.0 --artifact-type exe requirements.txt:application/exe

What is the version of your ORAS CLI?

Version: 0.16.0+Homebrew
Go version: go1.19.3

What is your OS environment?

Mac, Linux

Are you willing to submit PRs to fix it?

• Yes, I am willing to fix it.

[qweeah]

@suganyas It's by design. For security consideration, by default oras pull doesn't allow you to write into folders outside of the working directory. You may add -T or --allow-path-traversal to the pull command to allow it.

[suganyas]

Can this be added to the error message when the pull fails with "Path travel disallowed". Use pull with option -T or --allow-path-traversal to allow path traversal.

[qweeah]

Can this be added to the error message when the pull fails with "Path travel disallowed". Use pull with option -T or --allow-path-traversal to allow path traversal.

thanks @suganyas for the advice, created #978

[qweeah]

@suganyas Worth mentioning that did you produce this artifact? It's not recommended to produce artifacts with absolutely pathed layers.

[suganyas]

Hi @qweeah yes I just tried to push an artifact file from linux environment from a absolute path or from different directory. The path is implicitly taken by the oras cli or oras sdk when I pushed it. Like the file was in a directory /home/vts/1/a.exe. and I pushed from /home/test. I am ok if the push fails stating me that the file is not in the current directory and for security reasons you have to be in same working directory. but the push passes and pull fails .

[shizhMSFT]

Marking this issue as a duplicate of #983