Merge pull request from GHSA-xmmx-7jpf-fx42

[20.10] vendor: update github.com/docker/distribution and github.com/containerd/containerd

distribution/manifest.go

@@ -3,6 +3,7 @@ package distribution
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"io"
 	"io/ioutil"
 
@@ -11,7 +12,9 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/remotes"
 	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
 	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/manifest/schema2"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -166,8 +169,10 @@ func detectManifestMediaType(ra content.ReaderAt) (string, error) {
 func detectManifestBlobMediaType(dt []byte) (string, error) {
 	var mfst struct {
 		MediaType string          `json:"mediaType"`
-		Config    json.RawMessage `json:"config"`   // schema2 Manifest
-		FSLayers  json.RawMessage `json:"fsLayers"` // schema1 Manifest
+		Manifests json.RawMessage `json:"manifests"` // oci index, manifest list
+		Config    json.RawMessage `json:"config"`    // schema2 Manifest
+		Layers    json.RawMessage `json:"layers"`    // schema2 Manifest
+		FSLayers  json.RawMessage `json:"fsLayers"`  // schema1 Manifest
 	}
 
 	if err := json.Unmarshal(dt, &mfst); err != nil {
@@ -178,18 +183,40 @@ func detectManifestBlobMediaType(dt []byte) (string, error) {
 	// Docker types should generally have a media type set.
 	// OCI (golang) types do not have a `mediaType` defined, and it is optional in the spec.
 	//
-	// `distrubtion.UnmarshalManifest`, which is used to unmarshal this for real, checks these media type values.
+	// `distribution.UnmarshalManifest`, which is used to unmarshal this for real, checks these media type values.
 	// If the specified media type does not match it will error, and in some cases (docker media types) it is required.
 	// So pretty much if we don't have a media type we can fall back to OCI.
 	// This does have a special fallback for schema1 manifests just because it is easy to detect.
-	switch {
-	case mfst.MediaType != "":
+	switch mfst.MediaType {
+	case schema2.MediaTypeManifest, specs.MediaTypeImageManifest:
+		if mfst.Manifests != nil || mfst.FSLayers != nil {
+			return "", fmt.Errorf(`media-type: %q should not have "manifests" or "fsLayers"`, mfst.MediaType)
+		}
+		return mfst.MediaType, nil
+	case manifestlist.MediaTypeManifestList, specs.MediaTypeImageIndex:
+		if mfst.Config != nil || mfst.Layers != nil || mfst.FSLayers != nil {
+			return "", fmt.Errorf(`media-type: %q should not have "config", "layers", or "fsLayers"`, mfst.MediaType)
+		}
+		return mfst.MediaType, nil
+	case schema1.MediaTypeManifest:
+		if mfst.Manifests != nil || mfst.Layers != nil {
+			return "", fmt.Errorf(`media-type: %q should not have "manifests" or "layers"`, mfst.MediaType)
+		}
 		return mfst.MediaType, nil
-	case mfst.FSLayers != nil:
+	default:
+		if mfst.MediaType != "" {
+			return mfst.MediaType, nil
+		}
+	}
+	switch {
+	case mfst.FSLayers != nil && mfst.Manifests == nil && mfst.Layers == nil && mfst.Config == nil:
 		return schema1.MediaTypeManifest, nil
-	case mfst.Config != nil:
+	case mfst.Config != nil && mfst.Manifests == nil && mfst.FSLayers == nil,
+		mfst.Layers != nil && mfst.Manifests == nil && mfst.FSLayers == nil:
 		return specs.MediaTypeImageManifest, nil
-	default:
+	case mfst.Config == nil && mfst.Layers == nil && mfst.FSLayers == nil:
+		// fallback to index
 		return specs.MediaTypeImageIndex, nil
 	}
+	return "", errors.New("media-type: cannot determine")
 }

distribution/manifest_test.go

@@ -14,8 +14,10 @@ import (
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/remotes"
 	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
 	"github.com/docker/distribution/manifest/ocischema"
 	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/manifest/schema2"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
@@ -349,3 +351,73 @@ func TestDetectManifestBlobMediaType(t *testing.T) {
 	}
 
 }
+
+func TestDetectManifestBlobMediaTypeInvalid(t *testing.T) {
+	type testCase struct {
+		json     []byte
+		expected string
+	}
+	cases := map[string]testCase{
+		"schema 1 mediaType with manifests": {
+			[]byte(`{"mediaType": "` + schema1.MediaTypeManifest + `","manifests":[]}`),
+			`media-type: "application/vnd.docker.distribution.manifest.v1+json" should not have "manifests" or "layers"`,
+		},
+		"schema 1 mediaType with layers": {
+			[]byte(`{"mediaType": "` + schema1.MediaTypeManifest + `","layers":[]}`),
+			`media-type: "application/vnd.docker.distribution.manifest.v1+json" should not have "manifests" or "layers"`,
+		},
+		"schema 2 mediaType with manifests": {
+			[]byte(`{"mediaType": "` + schema2.MediaTypeManifest + `","manifests":[]}`),
+			`media-type: "application/vnd.docker.distribution.manifest.v2+json" should not have "manifests" or "fsLayers"`,
+		},
+		"schema 2 mediaType with fsLayers": {
+			[]byte(`{"mediaType": "` + schema2.MediaTypeManifest + `","fsLayers":[]}`),
+			`media-type: "application/vnd.docker.distribution.manifest.v2+json" should not have "manifests" or "fsLayers"`,
+		},
+		"oci manifest mediaType with manifests": {
+			[]byte(`{"mediaType": "` + specs.MediaTypeImageManifest + `","manifests":[]}`),
+			`media-type: "application/vnd.oci.image.manifest.v1+json" should not have "manifests" or "fsLayers"`,
+		},
+		"manifest list mediaType with fsLayers": {
+			[]byte(`{"mediaType": "` + manifestlist.MediaTypeManifestList + `","fsLayers":[]}`),
+			`media-type: "application/vnd.docker.distribution.manifest.list.v2+json" should not have "config", "layers", or "fsLayers"`,
+		},
+		"index mediaType with layers": {
+			[]byte(`{"mediaType": "` + specs.MediaTypeImageIndex + `","layers":[]}`),
+			`media-type: "application/vnd.oci.image.index.v1+json" should not have "config", "layers", or "fsLayers"`,
+		},
+		"index mediaType with config": {
+			[]byte(`{"mediaType": "` + specs.MediaTypeImageIndex + `","config":{}}`),
+			`media-type: "application/vnd.oci.image.index.v1+json" should not have "config", "layers", or "fsLayers"`,
+		},
+		"config and manifests": {
+			[]byte(`{"config":{}, "manifests":[]}`),
+			`media-type: cannot determine`,
+		},
+		"layers and manifests": {
+			[]byte(`{"layers":[], "manifests":[]}`),
+			`media-type: cannot determine`,
+		},
+		"layers and fsLayers": {
+			[]byte(`{"layers":[], "fsLayers":[]}`),
+			`media-type: cannot determine`,
+		},
+		"fsLayers and manifests": {
+			[]byte(`{"fsLayers":[], "manifests":[]}`),
+			`media-type: cannot determine`,
+		},
+		"config and fsLayers": {
+			[]byte(`{"config":{}, "fsLayers":[]}`),
+			`media-type: cannot determine`,
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			mt, err := detectManifestBlobMediaType(tc.json)
+			assert.Error(t, err, tc.expected)
+			assert.Equal(t, mt, "")
+		})
+	}
+
+}

vendor.conf

@@ -76,7 +76,7 @@ github.com/ishidawataru/sctp                        f2269e66cdee387bd321445d5d30
 go.etcd.io/bbolt                                    232d8fc87f50244f9c808f4745759e08a304c029 # v1.3.5
 
 # get graph and distribution packages
-github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
+github.com/docker/distribution                      58f99e93b767ebacbf8e62a9074844712d31a177 github.com/samuelkarp/docker-distribution
 github.com/vbatts/tar-split                         620714a4c508c880ac1bdda9c8370a2b19af1a55 # v0.11.1
 github.com/opencontainers/go-digest                 ea51bea511f75cfa3ef6098cc253c5c3609b037a # v1.0.0
 
@@ -130,7 +130,7 @@ github.com/googleapis/gax-go                        bd5b16380fd03dc758d11cef74ba
 google.golang.org/genproto                          3f1135a288c9a07e340ae8ba4cc6c7065a3160e8
 
 # containerd
-github.com/containerd/containerd                    0edc412565dcc6e3d6125ff9e4b009ad4b89c638 # master (v1.5.0-dev)
+github.com/containerd/containerd                    e048c115a3a89caf63941d363858e207c28bccd6 github.com/moby/containerd # master (v1.5.0-dev) + patch for CVE-2021-41190
 github.com/containerd/fifo                          0724c46b320cf96bb172a0550c19a4b1fca4dacb
 github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165
 github.com/containerd/cgroups                       0b889c03f102012f1d93a97ddd3ef71cd6f4f510