fix: fix panics caused by bad digests (#926)

1. Always validate the digest before calling functions like
`desc.Digest.Algorithm()` and `desc.Digest.Verifier()`, which panics
when encountering invalid digest
2. Refactor `buildReferrersTag` to return an error
3. Add corresponding unit tests

Before this PR, pushing descriptors with bad digest to memory store and
file store would panic.
After this PR, pushing descriptors with bad digest to memory store and
file store results in an error.

Fixes: #923
Signed-off-by: Lixia (Sylvia) Lei <[email protected]>

Author: Wwwsylvia

content/file/file_test.go

@@ -18,6 +18,7 @@ package file
 import (
 	"bytes"
 	"context"
+	"crypto/sha1"
 	_ "crypto/sha256"
 	"encoding/json"
 	"errors"
@@ -3354,6 +3355,81 @@ func TestStore_resolveWritePath_Overwrite(t *testing.T) {
 	})
 }
 
+func TestStore_BadDigest(t *testing.T) {
+	data := []byte("hello world")
+	ref := "foobar"
+
+	t.Run("invalid digest", func(t *testing.T) {
+		desc := ocispec.Descriptor{
+			MediaType: "application/test",
+			Size:      int64(len(data)),
+			Digest:    "invalid-digest",
+		}
+
+		s, err := New(t.TempDir())
+		if err != nil {
+			t.Fatal("Store.New() error =", err)
+		}
+		ctx := context.Background()
+		if err := s.Push(ctx, desc, bytes.NewReader(data)); !errors.Is(err, digest.ErrDigestInvalidFormat) {
+			t.Errorf("Store.Push() error = %v, wantErr %v", err, digest.ErrDigestInvalidFormat)
+
+		}
+
+		if err := s.Tag(ctx, desc, ref); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Tag() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Exists(ctx, desc); err != nil {
+			t.Errorf("Store.Exists() error = %v, wantErr %v", err, nil)
+		}
+
+		if _, err := s.Fetch(ctx, desc); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Fetch() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Predecessors(ctx, desc); err != nil {
+			t.Errorf("Store.Predecessors() error = %v, wantErr %v", err, nil)
+		}
+	})
+
+	t.Run("unsupported digest (sha1)", func(t *testing.T) {
+		h := sha1.New()
+		h.Write(data)
+		desc := ocispec.Descriptor{
+			MediaType: "application/test",
+			Size:      int64(len(data)),
+			Digest:    digest.NewDigestFromBytes("sha1", h.Sum(nil)),
+		}
+
+		s, err := New(t.TempDir())
+		if err != nil {
+			t.Fatal("Store.New() error =", err)
+		}
+		ctx := context.Background()
+		if err := s.Push(ctx, desc, bytes.NewReader(data)); !errors.Is(err, digest.ErrDigestUnsupported) {
+			t.Errorf("Store.Push() error = %v, wantErr %v", err, digest.ErrDigestUnsupported)
+
+		}
+
+		if err := s.Tag(ctx, desc, ref); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Tag() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Exists(ctx, desc); err != nil {
+			t.Errorf("Store.Exists() error = %v, wantErr %v", err, nil)
+		}
+
+		if _, err := s.Fetch(ctx, desc); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Fetch() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Predecessors(ctx, desc); err != nil {
+			t.Errorf("Store.Predecessors() error = %v, wantErr %v", err, nil)
+		}
+	})
+}
+
 func equalDescriptorSet(actual []ocispec.Descriptor, expected []ocispec.Descriptor) bool {
 	if len(actual) != len(expected) {
 		return false

content/memory/memory_test.go

@@ -18,6 +18,7 @@ package memory
 import (
 	"bytes"
 	"context"
+	"crypto/sha1"
 	_ "crypto/sha256"
 	"encoding/json"
 	"errors"
@@ -402,6 +403,75 @@ func TestStorePredecessors(t *testing.T) {
 	}
 }
 
+func TestStore_BadDigest(t *testing.T) {
+	data := []byte("hello world")
+	ref := "foobar"
+
+	t.Run("invalid digest", func(t *testing.T) {
+		desc := ocispec.Descriptor{
+			MediaType: "application/test",
+			Size:      int64(len(data)),
+			Digest:    "invalid-digest",
+		}
+
+		s := New()
+		ctx := context.Background()
+		if err := s.Push(ctx, desc, bytes.NewReader(data)); !errors.Is(err, digest.ErrDigestInvalidFormat) {
+			t.Errorf("Store.Push() error = %v, wantErr %v", err, digest.ErrDigestInvalidFormat)
+
+		}
+
+		if err := s.Tag(ctx, desc, ref); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Tag() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Exists(ctx, desc); err != nil {
+			t.Errorf("Store.Exists() error = %v, wantErr %v", err, nil)
+		}
+
+		if _, err := s.Fetch(ctx, desc); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Fetch() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Predecessors(ctx, desc); err != nil {
+			t.Errorf("Store.Predecessors() error = %v, wantErr %v", err, nil)
+		}
+	})
+
+	t.Run("unsupported digest (sha1)", func(t *testing.T) {
+		h := sha1.New()
+		h.Write(data)
+		desc := ocispec.Descriptor{
+			MediaType: "application/test",
+			Size:      int64(len(data)),
+			Digest:    digest.NewDigestFromBytes("sha1", h.Sum(nil)),
+		}
+
+		s := New()
+		ctx := context.Background()
+		if err := s.Push(ctx, desc, bytes.NewReader(data)); !errors.Is(err, digest.ErrDigestUnsupported) {
+			t.Errorf("Store.Push() error = %v, wantErr %v", err, digest.ErrDigestUnsupported)
+
+		}
+
+		if err := s.Tag(ctx, desc, ref); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Tag() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Exists(ctx, desc); err != nil {
+			t.Errorf("Store.Exists() error = %v, wantErr %v", err, nil)
+		}
+
+		if _, err := s.Fetch(ctx, desc); !errors.Is(err, errdef.ErrNotFound) {
+			t.Errorf("Store.Fetch() error = %v, wantErr %v", err, errdef.ErrNotFound)
+		}
+
+		if _, err := s.Predecessors(ctx, desc); err != nil {
+			t.Errorf("Store.Predecessors() error = %v, wantErr %v", err, nil)
+		}
+	})
+}
+
 func equalDescriptorSet(actual []ocispec.Descriptor, expected []ocispec.Descriptor) bool {
 	if len(actual) != len(expected) {
 		return false

content/oci/oci_test.go

@@ -18,6 +18,7 @@ package oci
 import (
 	"bytes"
 	"context"
+	"crypto/sha1"
 	_ "crypto/sha256"
 	"encoding/json"
 	"errors"
@@ -2871,3 +2872,78 @@ func Test_isContextDone(t *testing.T) {
 		t.Errorf("expect error = %v, got %v", context.Canceled, err)
 	}
 }
+
+func TestStore_BadDigest(t *testing.T) {
+	data := []byte("hello world")
+	ref := "foobar"
+
+	t.Run("invalid digest", func(t *testing.T) {
+		desc := ocispec.Descriptor{
+			MediaType: "application/test",
+			Size:      int64(len(data)),
+			Digest:    "invalid-digest",
+		}
+
+		s, err := New(t.TempDir())
+		if err != nil {
+			t.Fatal("Store.New() error =", err)
+		}
+		ctx := context.Background()
+		if err := s.Push(ctx, desc, bytes.NewReader(data)); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Push() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+
+		}
+
+		if err := s.Tag(ctx, desc, ref); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Tag() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+		}
+
+		if _, err := s.Exists(ctx, desc); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Exists() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+		}
+
+		if _, err := s.Fetch(ctx, desc); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Fetch() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+		}
+
+		if _, err := s.Predecessors(ctx, desc); err != nil {
+			t.Errorf("Store.Predecessors() error = %v, wantErr %v", err, nil)
+		}
+	})
+
+	t.Run("unsupported digest (sha1)", func(t *testing.T) {
+		h := sha1.New()
+		h.Write(data)
+		desc := ocispec.Descriptor{
+			MediaType: "application/test",
+			Size:      int64(len(data)),
+			Digest:    digest.NewDigestFromBytes("sha1", h.Sum(nil)),
+		}
+
+		s, err := New(t.TempDir())
+		if err != nil {
+			t.Fatal("Store.New() error =", err)
+		}
+		ctx := context.Background()
+		if err := s.Push(ctx, desc, bytes.NewReader(data)); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Push() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+
+		}
+
+		if err := s.Tag(ctx, desc, ref); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Tag() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+		}
+
+		if _, err := s.Exists(ctx, desc); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Exists() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+		}
+
+		if _, err := s.Fetch(ctx, desc); !errors.Is(err, errdef.ErrInvalidDigest) {
+			t.Errorf("Store.Fetch() error = %v, wantErr %v", err, errdef.ErrInvalidDigest)
+		}
+
+		if _, err := s.Predecessors(ctx, desc); err != nil {
+			t.Errorf("Store.Predecessors() error = %v, wantErr %v", err, nil)
+		}
+	})
+}

content/reader.go

@@ -99,6 +99,11 @@ func (vr *VerifyReader) Verify() error {
 
 // NewVerifyReader wraps r for reading content with verification against desc.
 func NewVerifyReader(r io.Reader, desc ocispec.Descriptor) *VerifyReader {
+	if err := desc.Digest.Validate(); err != nil {
+		return &VerifyReader{
+			err: fmt.Errorf("failed to validate %s: %w", desc.Digest, err),
+		}
+	}
 	verifier := desc.Digest.Verifier()
 	lr := &io.LimitedReader{
 		R: io.TeeReader(r, verifier),

content/reader_test.go

@@ -17,6 +17,7 @@ package content
 
 import (
 	"bytes"
+	"crypto/sha1"
 	_ "crypto/sha256"
 	"errors"
 	"io"
@@ -64,6 +65,9 @@ func TestVerifyReader_Read(t *testing.T) {
 	// mismatched content and descriptor with sufficient buffer
 	r = bytes.NewReader([]byte("bar"))
 	vr = NewVerifyReader(r, desc)
+	if err != nil {
+		t.Fatal("NewVerifyReaderSafe() error = ", err)
+	}
 	buf = make([]byte, 5)
 	n, err = vr.Read(buf)
 	if err != nil {
@@ -97,7 +101,8 @@ func TestVerifyReader_Verify(t *testing.T) {
 	desc = ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageLayer,
 		Digest:    digest.FromBytes(content),
-		Size:      int64(len(content)) - 1}
+		Size:      int64(len(content)) - 1,
+	}
 	vr = NewVerifyReader(r, desc)
 	buf = make([]byte, len(content))
 	if _, err := vr.Read(buf); err != nil {
@@ -117,7 +122,8 @@ func TestVerifyReader_Verify(t *testing.T) {
 	desc = ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageLayer,
 		Digest:    digest.FromBytes(content),
-		Size:      int64(len(content)) + 1}
+		Size:      int64(len(content)) + 1,
+	}
 	vr = NewVerifyReader(r, desc)
 	buf = make([]byte, len(content))
 	if _, err := vr.Read(buf); err != nil {
@@ -188,7 +194,7 @@ func TestReadAll_ReadSizeLargerThanDescriptorSize(t *testing.T) {
 	}
 }
 
-func TestReadAll_InvalidDigest(t *testing.T) {
+func TestReadAll_MismatchedDigest(t *testing.T) {
 	content := []byte("example content")
 	desc := NewDescriptorFromBytes("test", []byte("another content"))
 	r := bytes.NewReader([]byte(content))
@@ -198,6 +204,36 @@ func TestReadAll_InvalidDigest(t *testing.T) {
 	}
 }
 
+func TestReadAll_InvalidDigest(t *testing.T) {
+	content := []byte("example content")
+	desc := ocispec.Descriptor{
+		MediaType: ocispec.MediaTypeImageLayer,
+		Digest:    "invalid-digest",
+		Size:      int64(len(content)),
+	}
+	r := bytes.NewReader([]byte(content))
+	_, err := ReadAll(r, desc)
+	if wantErr := digest.ErrDigestInvalidFormat; !errors.Is(err, wantErr) {
+		t.Errorf("ReadAll() error = %v, want %v", err, wantErr)
+	}
+}
+
+func TestReadAll_UnsupportedAlgorithm_SHA1(t *testing.T) {
+	content := []byte("example content")
+	h := sha1.New()
+	h.Write(content)
+	desc := ocispec.Descriptor{
+		MediaType: ocispec.MediaTypeImageLayer,
+		Digest:    digest.NewDigestFromBytes("sha1", h.Sum(nil)),
+		Size:      int64(len(content)),
+	}
+	r := bytes.NewReader([]byte(content))
+	_, err := ReadAll(r, desc)
+	if wantErr := digest.ErrDigestUnsupported; !errors.Is(err, wantErr) {
+		t.Errorf("ReadAll() error = %v, want %v", err, wantErr)
+	}
+}
+
 func TestReadAll_EmptyContent(t *testing.T) {
 	content := []byte("")
 	desc := NewDescriptorFromBytes("test", content)

registry/remote/referrers.go

@@ -17,6 +17,7 @@ package remote
 
 import (
 	"errors"
+	"fmt"
 	"strings"
 
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -103,10 +104,13 @@ func (e *ReferrersError) IsReferrersIndexDelete() bool {
 // buildReferrersTag builds the referrers tag for the given manifest descriptor.
 // Format: <algorithm>-<digest>
 // Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#unavailable-referrers-api
-func buildReferrersTag(desc ocispec.Descriptor) string {
+func buildReferrersTag(desc ocispec.Descriptor) (string, error) {
+	if err := desc.Digest.Validate(); err != nil {
+		return "", fmt.Errorf("failed to build referrers tag for %s: %w", desc.Digest, err)
+	}
 	alg := desc.Digest.Algorithm().String()
 	encoded := desc.Digest.Encoded()
-	return alg + "-" + encoded
+	return alg + "-" + encoded, nil
 }
 
 // isReferrersFilterApplied checks if requsted is in the applied filter list.