Projects
openEuler:Mainline
isula-build
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 205
View file
_service:tar_scm_kernel_repo:isula-build.spec
Changed
@@ -2,7 +2,7 @@ Name: isula-build Version: 0.9.6 -Release: 16 +Release: 17 Summary: A tool to build container images License: Mulan PSL V2 URL: https://gitee.com/openeuler/isula-build @@ -85,6 +85,12 @@ /usr/share/bash-completion/completions/isula-build %changelog +* Thu Feb 02 2023 daisicheng <daisicheng@huawei.com> - 0.9.6-17 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:add manifest.json verification before loading a tar + * Thu Dec 22 2022 daisicheng <daisicheng@huawei.com> - 0.9.6-16 - Type:bugfix - CVE:NA
View file
_service:recompress:tar_scm_kernel_repo:patch.tar.gz/0136-add-manifest.json-verification-before-loading-a-tar.patch
Added
@@ -0,0 +1,130 @@ +From 373d9fb100649b74811acc73e6b7d67f539b561c Mon Sep 17 00:00:00 2001 +From: daisicheng <daisicheng@huawei.com> +Date: Wed, 1 Feb 2023 15:12:33 +0800 +Subject: [PATCH] add manifest.json verification before loading a tar + +--- + daemon/load.go | 45 +++++++++++++++++++++++++++++++++++++-------- + daemon/load_test.go | 13 +++---------- + 2 files changed, 40 insertions(+), 18 deletions(-) + +diff --git a/daemon/load.go b/daemon/load.go +index c071374..69175d7 100644 +--- a/daemon/load.go ++++ b/daemon/load.go +@@ -16,6 +16,7 @@ package daemon + import ( + "context" + "os" ++ "strconv" + "strings" + + "github.com/containers/image/v5/docker/tarfile" +@@ -175,25 +176,26 @@ func tryToParseImageFormatFromTarball(dataRoot string, opts *LoadOptions) ([]sin + systemContext.BigFilesTemporaryDir = tmpDir + + // try docker format loading +- imagesInTar, err := getDockerRepoTagFromImageTar(systemContext, opts.path) +- if err == nil { ++ imagesInTar, errDockerFormat := getDockerRepoTagFromImageTar(systemContext, opts.path) ++ if errDockerFormat == nil { + logrus.Infof("Parse image successful with %q format", constant.DockerTransport) + opts.format = constant.DockerArchiveTransport + return imagesInTar, nil + } +- logrus.Warnf("Try to Parse image of docker format failed with error: %v", err) ++ logrus.Warnf("Try to Parse image of docker format failed with error: %v", errDockerFormat) + + // try oci format loading +- imagesInTar, err = getOCIRepoTagFromImageTar(systemContext, opts.path) +- if err == nil { ++ imagesInTar, errOciFormat := getOCIRepoTagFromImageTar(systemContext, opts.path) ++ if errOciFormat == nil { + logrus.Infof("Parse image successful with %q format", constant.OCITransport) + opts.format = constant.OCIArchiveTransport + return imagesInTar, nil + } +- logrus.Warnf("Try to parse image of oci format failed with error: %v", err) ++ logrus.Warnf("Try to parse image of oci format failed with error: %v", errOciFormat) + +- // record the last error +- return nil, errors.Wrap(err, "wrong image format detected from local tarball") ++ // record the error ++ return nil, errors.Errorf("wrong image format detected from local tarball: try docker format: %v,try oci format: %v", ++ errDockerFormat, errOciFormat) + } + + func getDockerRepoTagFromImageTar(systemContext *types.SystemContext, path string) ([]singleImage, error) { +@@ -215,6 +217,9 @@ func getDockerRepoTagFromImageTar(systemContext *types.SystemContext, path strin + + imagesInTar := make([]singleImage, 0, len(topLevelImageManifest)) + for i, manifestItem := range topLevelImageManifest { ++ if err := checkManifestIsValid(systemContext, path, i); err != nil { ++ return nil, err ++ } + imageID, err := parseConfigID(manifestItem.Config) + if err != nil { + return nil, err +@@ -282,3 +287,27 @@ func getLoadedImageID(imageRef types.ImageReference, systemContext *types.System + + return "@" + imageDigest.Encoded(), nil + } ++ ++func checkManifestIsValid(systemContext *types.SystemContext, path string, manifestIndex int) error { ++ imageName := exporter.FormatTransport(constant.DockerArchiveTransport, path) ++ srcRef, err := alltransports.ParseImageName(imageName + ":@" + strconv.Itoa(manifestIndex)) ++ if err != nil { ++ return errors.Wrap(err, "failed to parse image name of docker image format") ++ } ++ ++ if srcRef == nil || systemContext == nil { ++ return errors.New("nil image reference or system context when loading image") ++ } ++ ++ newImage, err := srcRef.NewImage(context.TODO(), systemContext) ++ if err != nil { ++ return err ++ } ++ defer func() { ++ if err = newImage.Close(); err != nil { ++ logrus.Errorf("failed to close image: %v", err) ++ } ++ }() ++ ++ return nil ++} +diff --git a/daemon/load_test.go b/daemon/load_test.go +index 5e1a42b..cecda36 100644 +--- a/daemon/load_test.go ++++ b/daemon/load_test.go +@@ -271,7 +271,7 @@ func TestLoadSingleImage(t *testing.T) { + assert.ErrorContains(t, err, tc.errString) + return + } +- assert.ErrorContains(t, err, "failed to get the image") ++ assert.ErrorContains(t, err, "wrong image format detected from local tarball") + }) + } + +@@ -314,16 +314,9 @@ func TestLoadMultipleImages(t *testing.T) { + defer clean(dir) + + path := dir.Join(loadedTarFile) +- repoTags, err := tryToParseImageFormatFromTarball(daemon.opts.DataRoot, &LoadOptions{path: path}) +- assert.NilError(t, err) +- assert.Equal(t, repoTags[0].nameTag[0], "registry.example.com/sayhello:first") +- assert.Equal(t, repoTags[1].nameTag[0], "registry.example.com/sayhello:second") +- assert.Equal(t, repoTags[1].nameTag[1], "registry.example.com/sayhello:third") +- assert.Equal(t, len(repoTags[2].nameTag), 0) +- + req := &pb.LoadRequest{Path: path} + stream := &controlLoadServer{} + +- err = daemon.backend.Load(req, stream) +- assert.ErrorContains(t, err, "failed to get the image") ++ err := daemon.backend.Load(req, stream) ++ assert.ErrorContains(t, err, "wrong image format detected from local tarball") + } +-- +2.33.0 +
View file
_service:tar_scm_kernel_repo:VERSION-vendor
Changed
@@ -1 +1 @@ -0.9.6-16 +0.9.6-17
View file
_service:tar_scm_kernel_repo:git-commit
Changed
@@ -1 +1 @@ -ed2c2b8cd969185451dd4507c4581942b33d5cbe +4f2c91ba3c86b40cc9a86de54dd1d5473ed9cc57
View file
_service:tar_scm_kernel_repo:series.conf
Changed
@@ -43,4 +43,5 @@ patch/0132-add-login_test-logout_test-remove_test-and-import_te.patch patch/0133-cmd-daemon-add-base-test-for-runDaemon-and-before-fu.patch patch/0134-add-dt-for-interface-manifest-health-status-in-daemo.patch -patch/0135-fix-the-login_test-in-daemon-for-euleros-and-openeul.patch \ No newline at end of file +patch/0135-fix-the-login_test-in-daemon-for-euleros-and-openeul.patch +patch/0136-add-manifest.json-verification-before-loading-a-tar.patch \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.