diff options
| author | Brian Goff <cpuguy83@gmail.com> | 2020-10-12 18:08:28 +0000 |
|---|---|---|
| committer | Tibor Vass <tibor@docker.com> | 2021-01-28 21:43:36 +0000 |
| commit | 420b1d36250f9cfdc561f086f25a213ecb669b6f (patch) | |
| tree | e088e6d3fa79a5d101e1e42ffdb9fe36199e1d77 | |
| parent | 5472f39022e99c14b2f055eac4d9619e3663ae20 (diff) | |
| download | docker-jenkins-test-2.tar.gz | |
pull: Validate layer digest formatv19.03.15jenkins-test-2
Otherwise a malformed or empty digest may cause a panic.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit a7d4af84bd2f189b921c3ec60796aa825e3a0f2a)
Signed-off-by: Tibor Vass <tibor@docker.com>
| -rw-r--r-- | builder/builder-next/adapters/containerimage/pull.go | 3 | ||||
| -rw-r--r-- | distribution/pull_v2.go | 6 |
2 files changed, 9 insertions, 0 deletions
diff --git a/builder/builder-next/adapters/containerimage/pull.go b/builder/builder-next/adapters/containerimage/pull.go index 729ef52ae8..9d6e07e27d 100644 --- a/builder/builder-next/adapters/containerimage/pull.go +++ b/builder/builder-next/adapters/containerimage/pull.go @@ -526,6 +526,9 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) { layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers)) for i, desc := range mfst.Layers { + if err := desc.Digest.Validate(); err != nil { + return nil, errors.Wrap(err, "layer digest could not be validated") + } ongoing.add(desc) layers = append(layers, &layerDescriptor{ desc: desc, diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go index 3307458fdf..cb47264b9a 100644 --- a/distribution/pull_v2.go +++ b/distribution/pull_v2.go @@ -477,6 +477,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv // to top-most, so that the downloads slice gets ordered correctly. for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- { blobSum := verifiedManifest.FSLayers[i].BlobSum + if err = blobSum.Validate(); err != nil { + return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum) + } var throwAway struct { ThrowAway bool `json:"throwaway,omitempty"` @@ -575,6 +578,9 @@ func (p *v2Puller) pullSchema2Layers(ctx context.Context, target distribution.De // Note that the order of this loop is in the direction of bottom-most // to top-most, so that the downloads slice gets ordered correctly. for _, d := range layers { + if err := d.Digest.Validate(); err != nil { + return "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest) + } layerDescriptor := &v2LayerDescriptor{ digest: d.Digest, repo: p.repo, |