From 2bcb83468beb20d33408f46a9d0e5b589409f245 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 17 Jan 2024 23:29:52 +0100 Subject: [PATCH] Validate digests before using them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If doing it makes sense at all, it should happen before the values are used. Signed-off-by: Miloslav Trmač --- storage/storage_dest.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/storage/storage_dest.go b/storage/storage_dest.go index c06d6c09fe..cb157eafdf 100644 --- a/storage/storage_dest.go +++ b/storage/storage_dest.go @@ -361,6 +361,18 @@ func (s *storageImageDestination) TryReusingBlobWithOptions(ctx context.Context, // tryReusingBlobAsPending implements TryReusingBlobWithOptions for (blobDigest, size or -1), filling s.blobDiffIDs and other metadata. // The caller must arrange the blob to be eventually committed using s.commitLayer(). func (s *storageImageDestination) tryReusingBlobAsPending(blobDigest digest.Digest, size int64, options *private.TryReusingBlobOptions) (bool, private.ReusedBlob, error) { + if blobDigest == "" { + return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) + } + if err := blobDigest.Validate(); err != nil { + return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) + } + if options.TOCDigest != "" { + if err := options.TOCDigest.Validate(); err != nil { + return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) + } + } + // lock the entire method as it executes fairly quickly s.lock.Lock() defer s.lock.Unlock() @@ -380,18 +392,6 @@ func (s *storageImageDestination) tryReusingBlobAsPending(blobDigest digest.Dige } } - if blobDigest == "" { - return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) - } - if err := blobDigest.Validate(); err != nil { - return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) - } - if options.TOCDigest != "" { - if err := options.TOCDigest.Validate(); err != nil { - return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) - } - } - // Check if we have a wasn't-compressed layer in storage that's based on that blob. // Check if we've already cached it in a file.