github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

archive: validate digests before use

Browse Source 
digest.Algorithm() and digest.Encoded() may panic for invalid digests.
Validate prior to calling those methods.

Signed-off-by: Samuel Karp <samuelkarp@google.com>
This commit is contained in:
Samuel Karp 2022-10-06 19:07:34 -07:00
parent 74ab54c06d
commit f9c9121e53
No known key found for this signature in database
GPG Key ID: 997C5A3CD3167CB5
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
images/archive/exporter.go
View File

@ -182,6 +182,9 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts
case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
d, ok := resolvedIndex[desc.Digest] d, ok := resolvedIndex[desc.Digest]
if !ok { if !ok {
if err := desc.Digest.Validate(); err != nil {
return err
}
records = append(records, blobRecord(store, desc, &eo.blobRecordOptions)) records = append(records, blobRecord(store, desc, &eo.blobRecordOptions))
p, err := content.ReadBlob(ctx, store, desc) p, err := content.ReadBlob(ctx, store, desc)
@ -271,6 +274,9 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts
func getRecords(ctx context.Context, store content.Provider, desc ocispec.Descriptor, algorithms map[string]struct{}, brOpts *blobRecordOptions) ([]tarRecord, error) { func getRecords(ctx context.Context, store content.Provider, desc ocispec.Descriptor, algorithms map[string]struct{}, brOpts *blobRecordOptions) ([]tarRecord, error) {
var records []tarRecord var records []tarRecord
exportHandler := func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { exportHandler := func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
if err := desc.Digest.Validate(); err != nil {
return nil, err
}
records = append(records, blobRecord(store, desc, brOpts)) records = append(records, blobRecord(store, desc, brOpts))
algorithms[desc.Digest.Algorithm().String()] = struct{}{} algorithms[desc.Digest.Algorithm().String()] = struct{}{}
return nil, nil return nil, nil
@ -428,6 +434,9 @@ func manifestsRecord(ctx context.Context, store content.Provider, manifests map[
} }
dgst := manifest.Config.Digest dgst := manifest.Config.Digest
if err := dgst.Validate(); err != nil {
return tarRecord{}, err
}
mfsts[i].Config = path.Join("blobs", dgst.Algorithm().String(), dgst.Encoded()) mfsts[i].Config = path.Join("blobs", dgst.Algorithm().String(), dgst.Encoded())
for _, l := range manifest.Layers { for _, l := range manifest.Layers {
path := path.Join("blobs", l.Digest.Algorithm().String(), l.Digest.Encoded()) path := path.Join("blobs", l.Digest.Algorithm().String(), l.Digest.Encoded())

3
images/archive/importer.go
View File

@ -300,6 +300,9 @@ func resolveLayers(ctx context.Context, store content.Store, layerFiles []string
} }
if s.GetCompression() == compression.Uncompressed { if s.GetCompression() == compression.Uncompressed {
if compress { if compress {
if err := desc.Digest.Validate(); err != nil {
return nil, err
}
ref := fmt.Sprintf("compress-blob-%s-%s", desc.Digest.Algorithm().String(), desc.Digest.Encoded()) ref := fmt.Sprintf("compress-blob-%s-%s", desc.Digest.Algorithm().String(), desc.Digest.Encoded())
labels := map[string]string{ labels := map[string]string{
"containerd.io/uncompressed": desc.Digest.String(), "containerd.io/uncompressed": desc.Digest.String(),