Typically, use %q instead of %s (or instead of "%s"), to expose
various control characters and the like without interpreting them.
This is not really comprehensive; the codebase makes no _general_
guarantee that any returned string values are free of control
characters or other malicious/misleading metadata. Not even
in returned "error" values (which can legitimately contain newlines,
if nothing else).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Commit to it as a public API; it's really only usable for
.BaseVariantName() == .Name().
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Flips dependency of internal and public manifest.List API and introduces
private manifest.List API which will be extended in future for new
features.
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
- Don't compress/decompress layers with unknown MIME types, and layers
in OCI artifacts.
- Don't even change manifest MIME types in these situations, whatever
happens.
- Don't substitute compressed/uncompressed variants (via
TryReusingBlobWithOptions) for OCI artifacts, if we discover the
same variants when copying images that refer to the same blobs.
Note that this does _not_ restrict compression to algorithms supported
by the SourcedImage, because that would prohibit a single-pass
conversion from v2s2 to OCI while compressing to zstd [1], and that's
a feature we currently exercise in tests. So, this prevents us from
failing to copy OCI artifacts, but users of zstd still need to be careful
about choosing OCI manually.
[1] We would need to ask the _destination_ format handler about
zstd, not the source-format SourcedImage, and we don't currently have
that infrastructure. It's also not immediately clear how to combine
this with the sequence of alternative manifest formats returned by
determineManifestConversion.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We will add another user of the lookup code.
Erorr messages now use mimeType instead of mt, which were required
required to be equal on that code path, now that mt is not visible.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Refuse to process manifest / manifest list data
that could possibly be interpreted as two different
manifest formats, because differences in how those
ambiguities are resolved could be used to bypass
image verification or review mechanisms.
Fixes CVE-2021-41190 / GHSA-77vh-xpmg-72qh .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Most importantly this removes a dependency of c/image/manifest
(and thus c/image/signature) on pkg/compression and all the implementations.
Use pkg/compression/types everywhere else it is possible as well,
even if it does not remove any dependency on pkg/compression, just
to enforce the discipline.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to InternalUnstableUndocumentedMIMEQuestionMark , as
a minimal low-effort attempt to prevent this being a part
of the API stability promise.
Hopefully this will actually be properly documented, or replaced
with something maintainable, instead; this is a stupid stopgap
to decrease the risk of the current state becoming a part of a release.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Extend the blob info cache to also cache the name of the type of
compression used on a blob that we've seen, or specific values that
indicate that we know the blob was not compressed, or that we don't
know whether or not it was compressed.
New methods for adding known blob-compression pairs and reading
candidate locations including compression information are part of a new
internal BlobInfoCache2 interface which the library's BlobInfoCache
implementors also implement.
When we copy a blob, try to record the state of compression for the
source blob, and if we applied any changes, the blob we produced.
Make sure that when TryReusingBlob successfully uses a blob from the
blob info cache, that it provides compression information in the
BlobInfo that it returns, so that manifests can be updated to describe
layers using the correct MIME types.
When attempting to write a manifest, if a manifest can't be written
because layers were compressed using an algorithm which can't be
expressed using that manifest type, continue on to trying other manifest
formats.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Apart from the variant table name, and the MIME type check in schema2,
the two are line-for-line identical.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
separate from the format-specific files, and from the ~generic
public utilities in manifest.go.
Only moves code, should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Miloslav Trmač