archive: validate digests before use

digest.Algorithm() and digest.Encoded() may panic for invalid digests. Validate prior to calling those methods. Signed-off-by: Samuel Karp <samuelkarp@google.com>
2022-10-06 19:07:34 -07:00 · 2022-10-06 19:07:34 -07:00 · f9c9121e53
commit f9c9121e53
parent 74ab54c06d
2 changed files with 12 additions and 0 deletions
--- a/images/archive/exporter.go
+++ b/images/archive/exporter.go
@ -182,6 +182,9 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts
 		case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
 			d, ok := resolvedIndex[desc.Digest]
 			if !ok {
+				if err := desc.Digest.Validate(); err != nil {
+					return err
+				}
 				records = append(records, blobRecord(store, desc, &eo.blobRecordOptions))

 				p, err := content.ReadBlob(ctx, store, desc)
@ -271,6 +274,9 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts
 func getRecords(ctx context.Context, store content.Provider, desc ocispec.Descriptor, algorithms map[string]struct{}, brOpts *blobRecordOptions) ([]tarRecord, error) {
 	var records []tarRecord
 	exportHandler := func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		if err := desc.Digest.Validate(); err != nil {
+			return nil, err
+		}
 		records = append(records, blobRecord(store, desc, brOpts))
 		algorithms[desc.Digest.Algorithm().String()] = struct{}{}
 		return nil, nil
@ -428,6 +434,9 @@ func manifestsRecord(ctx context.Context, store content.Provider, manifests map[
 		}

 		dgst := manifest.Config.Digest
+		if err := dgst.Validate(); err != nil {
+			return tarRecord{}, err
+		}
 		mfsts[i].Config = path.Join("blobs", dgst.Algorithm().String(), dgst.Encoded())
 		for _, l := range manifest.Layers {
 			path := path.Join("blobs", l.Digest.Algorithm().String(), l.Digest.Encoded())
--- a/images/archive/importer.go
+++ b/images/archive/importer.go
@ -300,6 +300,9 @@ func resolveLayers(ctx context.Context, store content.Store, layerFiles []string
 		}
 		if s.GetCompression() == compression.Uncompressed {
 			if compress {
+				if err := desc.Digest.Validate(); err != nil {
+					return nil, err
+				}
 				ref := fmt.Sprintf("compress-blob-%s-%s", desc.Digest.Algorithm().String(), desc.Digest.Encoded())
 				labels := map[string]string{
 					"containerd.io/uncompressed": desc.Digest.String(),