disallow absolute file path in `oras push` and `oras attach` by default 

### What is the version of your ORAS CLI

oras 1.0.0

### What would you like to be added?

By default, disable pushing files with absolute file path in `oras push` and `oras attach`, add a new flag, like `--allow-absolute-path` to support glass-breaking scenarios.

The artifact packed via `oras attach/push --allow-absolute-path` can only be pulled via `oras pull --T/allow-path-traversal`

### Why is this needed for ORAS?

Absolutely pathed layers are dangerous, since 
1) File might be written into any folder outside of the working directory.
2) The allowed characters in files names are different between Linux and Windows. Artifacts packed in one platform may not be pulled in another platform.

### Are you willing to submit PRs to contribute to this feature?

- [ ] Yes, I am willing to implement it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

disallow absolute file path in `oras push` and `oras attach` by default #980

What is the version of your ORAS CLI

What would you like to be added?

Why is this needed for ORAS?

Are you willing to submit PRs to contribute to this feature?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

disallow absolute file path in oras push and oras attach by default #980

Description

What is the version of your ORAS CLI

What would you like to be added?

Why is this needed for ORAS?

Are you willing to submit PRs to contribute to this feature?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

disallow absolute file path in `oras push` and `oras attach` by default #980