[PATCH] pull: Validate layer digest format

author Brian Goff <cpuguy83@gmail.com>

Mon, 12 Oct 2020 18:08:28 +0000 (18:08 +0000)

committer Felix Geyer <fgeyer@debian.org>

Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)
author Brian Goff <cpuguy83@gmail.com>
Mon, 12 Oct 2020 18:08:28 +0000 (18:08 +0000)
committer Felix Geyer <fgeyer@debian.org>
Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)
diff --git a/engine/builder/builder-next/adapters/containerimage/pull.go b/engine/builder/builder-next/adapters/containerimage/pull.go

index b1e44d95e9e3919c4d0e26212e443f8f1b6c0ddf..51a9783c15b460e5be25a9851a5e62699cc267dc 100644 (file)
--- a/engine/builder/builder-next/adapters/containerimage/pull.go
+++ b/engine/builder/builder-next/adapters/containerimage/pull.go
@@ -496,6 +496,9 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) {
         layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
  
         for i, desc := range mfst.Layers {
+               if err := desc.Digest.Validate(); err != nil {
+                       return nil, errors.Wrap(err, "layer digest could not be validated")
+               }
                 ongoing.add(desc)
                 layers = append(layers, &layerDescriptor{
                         desc:    desc,
diff --git a/engine/distribution/pull_v2.go b/engine/distribution/pull_v2.go

index 8f05cfa0b289b7687b84cb1067882cb4e1477160..2c96570b7f76a1aac9d85036895189a20eb602e7 100644 (file)
--- a/engine/distribution/pull_v2.go
+++ b/engine/distribution/pull_v2.go
@@ -462,6 +462,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv
         // to top-most, so that the downloads slice gets ordered correctly.
         for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
                 blobSum := verifiedManifest.FSLayers[i].BlobSum
+               if err = blobSum.Validate(); err != nil {
+                       return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum)
+               }
  
                 var throwAway struct {
                         ThrowAway bool `json:"throwaway,omitempty"`
@@ -566,6 +569,9 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s
         // Note that the order of this loop is in the direction of bottom-most
         // to top-most, so that the downloads slice gets ordered correctly.
         for _, d := range mfst.Layers {
+               if err := d.Digest.Validate(); err != nil {
+                       return "", "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest)
+               }
                 layerDescriptor := &v2LayerDescriptor{
                         digest:            d.Digest,
                         repo:              p.repo,
author	Brian Goff <cpuguy83@gmail.com>
	Mon, 12 Oct 2020 18:08:28 +0000 (18:08 +0000)
committer	Felix Geyer <fgeyer@debian.org>
	Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)
engine/builder/builder-next/adapters/containerimage/pull.go		patch \| blob \| history
engine/distribution/pull_v2.go		patch \| blob \| history