Add output path traversal protection and list available platforms in missing manifest error

Author: jadolg

image.go

@@ -160,6 +160,13 @@ func createOutputTar(ref ImageReference, tempDir, outputDir string, platform Pla
 
 	outputPath := filepath.Join(outputDir, imageFilename(ref, platform))
 
+	// Defense-in-depth: confirm the assembled path stays within the output directory.
+	cleanOut := filepath.Clean(outputDir)
+	cleanPath := filepath.Clean(outputPath)
+	if !strings.HasPrefix(cleanPath, cleanOut+string(filepath.Separator)) {
+		return "", fmt.Errorf("output path escapes cache directory: %s", cleanPath)
+	}
+
 	log.Println("Creating tar archive...")
 	if err := createTar(tempDir, outputPath); err != nil {
 		return "", fmt.Errorf("failed to create tar: %w", err)

registry.go

@@ -282,10 +282,13 @@ func (c *RegistryClient) selectManifestDigest(ref ImageReference, list *Manifest
 			return c.getManifestByDigest(ref, m.Digest)
 		}
 	}
-	if platform.Variant != "" {
-		return nil, fmt.Errorf("no manifest found for platform %s/%s/%s", platform.OS, platform.Architecture, platform.Variant)
+
+	available := make([]string, 0, len(list.Manifests))
+	for _, m := range list.Manifests {
+		p := Platform{OS: m.Platform.OS, Architecture: m.Platform.Architecture, Variant: m.Platform.Variant}
+		available = append(available, p.String())
 	}
-	return nil, fmt.Errorf("no manifest found for platform %s/%s", platform.OS, platform.Architecture)
+	return nil, fmt.Errorf("no manifest found for platform %s; available: %s", platform, strings.Join(available, ", "))
 }
 
 // parseManifestResponse parses the manifest response body based on content type