From a1c7dfc90302c0aac965c5b05af256fc2aa4a8e9 Mon Sep 17 00:00:00 2001
From: Chris Markiewicz <markiewicz@stanford.edu>
Date: Thu, 1 Dec 2022 15:33:12 -0500
Subject: [PATCH] NF: Add GZIP_HEADER_DATA issue, following gh-1349 (#1360)

---
 src/schema/meta/context.yaml         | 13 +++++++++++++
 src/schema/rules/checks/privacy.yaml | 15 +++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 src/schema/rules/checks/privacy.yaml

diff --git a/src/schema/meta/context.yaml b/src/schema/meta/context.yaml
index 0cc8c26d61..d88ba7fd5e 100644
--- a/src/schema/meta/context.yaml
+++ b/src/schema/meta/context.yaml
@@ -215,6 +215,19 @@ context:
     json:
       description: 'Contents of the current JSON file'
       type: object
+    gzip:
+      description: 'Parsed contents of gzip header'
+      type: object
+      properties:
+        timestamp:
+          description: 'Modification time, unix timestamp'
+          type: number
+        filename:
+          description: 'File name'
+          type: string
+        comment:
+          description: 'Comment'
+          type: string
     nifti_header:
       name: 'NIfTI Header'
       description: 'Parsed contents of NIfTI header referenced elsewhere in schema.'
diff --git a/src/schema/rules/checks/privacy.yaml b/src/schema/rules/checks/privacy.yaml
new file mode 100644
index 0000000000..e3024ee2e7
--- /dev/null
+++ b/src/schema/rules/checks/privacy.yaml
@@ -0,0 +1,15 @@
+---
+GzipHeaderFields:
+  issue:
+    code: GZIP_HEADER_DATA
+    message: |
+      The gzip header contains a non-zero timestamp or a non-empty filename
+      and/or comment field. These may leak sensitive information or indicate
+      a non-reproducible conversion process.
+    level: warning
+  selectors:
+    - match(extension, ".gz$")
+  checks:
+    - gzip.timestamp == 0
+    - gzip.filename == ""
+    - gzip.comment == ""