Search before asking

• I searched the issues and found no similar issues.

KubeRay Component

ci

What happened + What you expected to happen

During the linter version upgrade, a new G115 (integer overflow) warning was identified in the log extraction logic. Additionally, the current implementation uses defer inside a loop, which can lead to a "too many open files" error when extracting large tarballs.

Proposed Changes:

G115 Fix: Properly validate header.Mode bounds and use an explicit cast to uint32 before passing it to os.FileMode.

Resource Leak Fix: Move the file-closing logic out of defer to ensure file descriptors are released immediately after each file is processed within the loop.

Behavior: Log a warning and skip files with invalid modes rather than attempting a truncated/overflowed conversion.

Location: kubectl-plugin/pkg/cmd/log/log.go

Reproduction script

1. Navigate to the kubectl-plugin directory:

cd kubectl-plugin/pkg/cmd/log/

2. Remove the suppression comment:
   Locate log.go and remove the // #nosec G115 directive above the os.OpenFile call:

// Remove this line to trigger the lint error:
// #nosec G115
outFile, err := os.OpenFile(localFilePath, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))

3. Run the linter via pre-commit:
   From the root of the repository, run:

pre-commit run golangci-lint --files kubectl-plugin/pkg/cmd/log/log.go

Observed Result
The linter fails with the following security warning:

kubectl-plugin/pkg/cmd/log/log.go:418:81: G115: integer overflow conversion int64 -> uint32 (gosec)
outFile, err := os.OpenFile(localFilePath, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))

Anything else

Root Cause
The tar.Header.Mode is an int64, while os.FileMode (and the underlying uint32 it expects) can overflow if a malicious or malformed tar header provides a value outside the uint32 range.

Are you willing to submit a PR?

• Yes I am willing to submit a PR!