From 460c943125d9eca7cb4259d42c6c008a709e9dbe Mon Sep 17 00:00:00 2001 From: haozi007 Date: Wed, 23 Aug 2023 15:42:42 +0800 Subject: [PATCH 29/33] [image] ensure id of loaded and pulled image is valid Signed-off-by: haozi007 --- src/daemon/modules/image/oci/oci_import.c | 14 ++++++++++--- src/daemon/modules/image/oci/oci_load.c | 21 ++++++------------- .../modules/image/oci/registry/registry.c | 8 ++++++- src/daemon/modules/image/oci/utils_images.c | 17 ++++++++++++++- src/daemon/modules/image/oci/utils_images.h | 3 +++ src/utils/cutils/utils.h | 2 -- src/utils/sha256/sha256.c | 1 - 7 files changed, 43 insertions(+), 23 deletions(-) diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c index 1e14a916..0568c23f 100644 --- a/src/daemon/modules/image/oci/oci_import.c +++ b/src/daemon/modules/image/oci/oci_import.c @@ -93,7 +93,7 @@ static int register_layer(import_desc *desc) return -1; } - id = util_without_sha256_prefix(desc->uncompressed_digest); + id = oci_image_id_from_digest(desc->uncompressed_digest); if (id == NULL) { ERROR("Invalid NULL param"); return -1; @@ -315,8 +315,16 @@ static int register_image(import_desc *desc) opts.create_time = &desc->now_time; opts.digest = desc->manifest_digest; - image_id = util_without_sha256_prefix(desc->config_digest); - top_layer_id = util_without_sha256_prefix(desc->uncompressed_digest); + image_id = oci_image_id_from_digest(desc->config_digest); + if (image_id == NULL) { + ret = -1; + goto out; + } + top_layer_id = oci_image_id_from_digest(desc->uncompressed_digest); + if (top_layer_id == NULL) { + ret = -1; + goto out; + } ret = storage_img_create(image_id, top_layer_id, NULL, &opts); if (ret != 0) { pre_top_layer = storage_get_img_top_layer(image_id); diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c index fd707330..31ae3849 100644 --- a/src/daemon/modules/image/oci/oci_load.c +++ b/src/daemon/modules/image/oci/oci_load.c @@ -290,16 +290,6 @@ out: return full_digest; } -static char *oci_load_without_sha256_prefix(char *digest) -{ - if (digest == NULL) { - ERROR("Invalid digest NULL when strip sha256 prefix"); - return NULL; - } - - return digest + strlen(SHA256_PREFIX); -} - static int registry_layer_from_tarball(const load_layer_blob_t *layer, const char *id, const char *parent) { int ret = 0; @@ -345,7 +335,7 @@ static int oci_load_register_layers(load_image_t *desc) } for (i = 0; i < desc->layers_len; i++) { - id = oci_load_without_sha256_prefix(desc->layers[i]->chain_id); + id = oci_image_id_from_digest(desc->layers[i]->chain_id); if (id == NULL) { ERROR("layer %zu have NULL digest for image %s", i, desc->im_id); ret = -1; @@ -457,7 +447,7 @@ static int oci_load_create_image(load_image_t *desc, const char *dst_tag) top_layer_index = desc->layers_len - 1; opts.create_time = ×tamp; opts.digest = desc->manifest_digest; - top_layer_id = oci_load_without_sha256_prefix(desc->layers[top_layer_index]->chain_id); + top_layer_id = oci_image_id_from_digest(desc->layers[top_layer_index]->chain_id); if (top_layer_id == NULL) { ERROR("NULL top layer id found for image %s", desc->im_id); ret = -1; @@ -764,7 +754,7 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items } parent_chain_id_sha256 = im->layers[i]->chain_id; - id = oci_load_without_sha256_prefix(im->layers[i]->chain_id); + id = oci_image_id_from_digest(im->layers[i]->chain_id); if (id == NULL) { ERROR("Wipe out sha256 prefix failed from layer with chain id : %s", im->layers[i]->chain_id); ret = -1; @@ -832,7 +822,8 @@ static load_image_t *oci_load_process_manifest(const image_manifest_items_elemen goto out; } - image_id = oci_load_without_sha256_prefix(image_digest); + // call util_valid_digest to ensure digest is valid, so image id is valid + image_id = oci_image_id_from_digest(image_digest); if (image_id == NULL) { ret = -1; ERROR("Remove sha256 prefix error from image digest %s", image_digest); @@ -872,7 +863,7 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre) return -1; } - id = oci_load_without_sha256_prefix(chain_id_pre); + id = oci_image_id_from_digest(chain_id_pre); if (id == NULL) { ERROR("Get chain id failed from value:%s", chain_id_pre); return -1; diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c index 35753c79..4124281d 100644 --- a/src/daemon/modules/image/oci/registry/registry.c +++ b/src/daemon/modules/image/oci/registry/registry.c @@ -877,7 +877,13 @@ static int register_image(pull_descriptor *desc) // lock when create image to make sure image content all exist mutex_lock(&g_shared->image_mutex); - image_id = util_without_sha256_prefix(desc->config.digest); + image_id = oci_image_id_from_digest(desc->config.digest); + if (image_id == NULL) { + ERROR("Invalid digest: %s", desc->config.digest); + isulad_try_set_error_message("invalid image digest: %s", desc->config.digest); + ret = -1; + goto out; + } ret = create_image(desc, image_id, &reuse); if (ret != 0) { ERROR("create image %s failed", desc->image_name); diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c index 4342db5b..f92ee59a 100644 --- a/src/daemon/modules/image/oci/utils_images.c +++ b/src/daemon/modules/image/oci/utils_images.c @@ -691,4 +691,19 @@ int oci_split_search_name(const char *search_name, char **host, char **name) return 0; } -#endif \ No newline at end of file +#endif + +char *oci_image_id_from_digest(char *digest) +{ + if (digest == NULL) { + ERROR("Empty digest"); + return NULL; + } + + if (!util_valid_digest(digest)) { + ERROR("Load image with invalid digest: %s", digest); + return NULL; + } + + return digest + strlen(SHA256_PREFIX); +} diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h index 2238bb91..ea0fb20a 100644 --- a/src/daemon/modules/image/oci/utils_images.h +++ b/src/daemon/modules/image/oci/utils_images.h @@ -61,6 +61,9 @@ char *get_hostname_to_strip(void); char *oci_image_digest_pos(const char *name); +// return a pointer to digest string without 'sha256:' prefix +char *oci_image_id_from_digest(char *digest); + #ifdef __cplusplus } #endif diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h index 83b20e5e..3acf0698 100644 --- a/src/utils/cutils/utils.h +++ b/src/utils/cutils/utils.h @@ -388,8 +388,6 @@ int util_generate_random_str(char *id, size_t len); int util_check_inherited_exclude_fds(bool closeall, int *fds_to_ignore, size_t len_fds); -char *util_without_sha256_prefix(char *digest); - int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant); int util_read_pid_ppid_info(uint32_t pid, pid_ppid_info_t *pid_info); diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c index 54cc2862..4e692355 100644 --- a/src/utils/sha256/sha256.c +++ b/src/utils/sha256/sha256.c @@ -388,7 +388,6 @@ char *sha256_full_digest_str(char *str) char *util_without_sha256_prefix(char *digest) { if (digest == NULL || !util_has_prefix(digest, SHA256_PREFIX)) { - ERROR("Invalid digest when strip sha256 prefix"); return NULL; } -- 2.40.1