archive: validate digests before use
digest.Algorithm() and digest.Encoded() may panic for invalid digests. Validate prior to calling those methods. Signed-off-by: Samuel Karp <samuelkarp@google.com>
This commit is contained in:
Samuel Karp
@@ -182,6 +182,9 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts
|
|||||||
case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
|
case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
|
||||||
d, ok := resolvedIndex[desc.Digest]
|
d, ok := resolvedIndex[desc.Digest]
|
||||||
if !ok {
|
if !ok {
|
||||||
|
if err := desc.Digest.Validate(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
records = append(records, blobRecord(store, desc, &eo.blobRecordOptions))
|
records = append(records, blobRecord(store, desc, &eo.blobRecordOptions))
|
||||||
|
|
||||||
p, err := content.ReadBlob(ctx, store, desc)
|
p, err := content.ReadBlob(ctx, store, desc)
|
||||||
@@ -271,6 +274,9 @@ func Export(ctx context.Context, store content.Provider, writer io.Writer, opts
|
|||||||
func getRecords(ctx context.Context, store content.Provider, desc ocispec.Descriptor, algorithms map[string]struct{}, brOpts *blobRecordOptions) ([]tarRecord, error) {
|
func getRecords(ctx context.Context, store content.Provider, desc ocispec.Descriptor, algorithms map[string]struct{}, brOpts *blobRecordOptions) ([]tarRecord, error) {
|
||||||
var records []tarRecord
|
var records []tarRecord
|
||||||
exportHandler := func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
|
exportHandler := func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
|
||||||
|
if err := desc.Digest.Validate(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
records = append(records, blobRecord(store, desc, brOpts))
|
records = append(records, blobRecord(store, desc, brOpts))
|
||||||
algorithms[desc.Digest.Algorithm().String()] = struct{}{}
|
algorithms[desc.Digest.Algorithm().String()] = struct{}{}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
@@ -428,6 +434,9 @@ func manifestsRecord(ctx context.Context, store content.Provider, manifests map[
|
|||||||
}
|
}
|
||||||
|
|
||||||
dgst := manifest.Config.Digest
|
dgst := manifest.Config.Digest
|
||||||
|
if err := dgst.Validate(); err != nil {
|
||||||
|
return tarRecord{}, err
|
||||||
|
}
|
||||||
mfsts[i].Config = path.Join("blobs", dgst.Algorithm().String(), dgst.Encoded())
|
mfsts[i].Config = path.Join("blobs", dgst.Algorithm().String(), dgst.Encoded())
|
||||||
for _, l := range manifest.Layers {
|
for _, l := range manifest.Layers {
|
||||||
path := path.Join("blobs", l.Digest.Algorithm().String(), l.Digest.Encoded())
|
path := path.Join("blobs", l.Digest.Algorithm().String(), l.Digest.Encoded())
|
||||||
|
|||||||
@@ -300,6 +300,9 @@ func resolveLayers(ctx context.Context, store content.Store, layerFiles []string
|
|||||||
}
|
}
|
||||||
if s.GetCompression() == compression.Uncompressed {
|
if s.GetCompression() == compression.Uncompressed {
|
||||||
if compress {
|
if compress {
|
||||||
|
if err := desc.Digest.Validate(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
ref := fmt.Sprintf("compress-blob-%s-%s", desc.Digest.Algorithm().String(), desc.Digest.Encoded())
|
ref := fmt.Sprintf("compress-blob-%s-%s", desc.Digest.Algorithm().String(), desc.Digest.Encoded())
|
||||||
labels := map[string]string{
|
labels := map[string]string{
|
||||||
"containerd.io/uncompressed": desc.Digest.String(),
|
"containerd.io/uncompressed": desc.Digest.String(),
|
||||||
|
|||||||
Reference in New Issue
Block a user