Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default path validation on push #66

Merged
merged 9 commits into from Apr 15, 2019
Merged

Default path validation on push #66

merged 9 commits into from Apr 15, 2019

Conversation

shizhMSFT
Copy link
Contributor

@shizhMSFT shizhMSFT commented Apr 12, 2019
edited

To generate oras packages / images with good qualities, i.e. secure and cross-platform, oras now checks the image title / path name to push with the following rules:

  1. Path should not be empty.
  2. Path should be clean.
  • foo/bar OK
  • foo/../bar NOT OK
  • bar OK
  • ./bar NOT OK
  1. Path should be slash-separated. i.e. path must be in the unix format.
  • foo/bar OK
  • foo\bar NOT OK
  1. Absolute path is not allowed.
  • /foo/bar NOT OK
  • C:\foo\bar NOT OK
  • C:/foo/bar NOT OK
  1. Path traversal is not allowed.
  • .. NOT OK
  • ../bar NOT OK
  • foo/../../bar NOT OK

Note: All checks are at the oras package level, not the CLI level.

If the user is using oras CLI, the rule (1) is always true.
With #65, the rules (2)-(4) are always true.
Therefore, this validation is basically equvilant to the rule (5).

To disable path validation, you can either

  • Pass option oras.WithNameValidation(nil) to oras.Push().
  • Run oras with --disable-path-validation.

Resolves #57

@shizhMSFT shizhMSFT added the enhancement New feature or request label Apr 12, 2019
@shizhMSFT
Copy link
Contributor Author

/test

1 similar comment
@jdolitsky
Copy link
Contributor

/test

@jdolitsky
Copy link
Contributor

Tests failing w

        push_opts_test.go:43:                                                                                                                               
                Error Trace:    push_opts_test.go:43                                                                                                        
                Error:          An error is expected but got nil.                                                                                           
                Test:           TestPushOptsSuite/TestValidateNameAsPath                                                                                    
                Messages:       windows: absolute path disallowed

@shizhMSFT shizhMSFT mentioned this pull request Apr 12, 2019
Merged
@shizhMSFT
Copy link
Contributor Author

/test

@shizhMSFT
Copy link
Contributor Author

Tests failing w

        push_opts_test.go:43:                                                                                                                               
                Error Trace:    push_opts_test.go:43                                                                                                        
                Error:          An error is expected but got nil.                                                                                           
                Test:           TestPushOptsSuite/TestValidateNameAsPath                                                                                    
                Messages:       windows: absolute path disallowed

fixed

@jdolitsky jdolitsky self-requested a review April 12, 2019 14:20
jdolitsky
jdolitsky approved these changes Apr 12, 2019
View reviewed changes
Copy link
Contributor

@jdolitsky jdolitsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@shizhMSFT
Copy link
Contributor Author

/test

@shizhMSFT shizhMSFT merged commit 212c034 into master Apr 15, 2019
@shizhMSFT shizhMSFT deleted the shizh/path branch April 15, 2019 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdolitsky jdolitsky jdolitsky approved these changes

@sajayantony sajayantony Awaiting requested review from sajayantony

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not allow path traversal by default when pushing package
2 participants
@shizhMSFT @jdolitsky