From 8c414fc88da8eaedd6bff0744b863712dae77cb7 Mon Sep 17 00:00:00 2001 From: Sergei Zharinov Date: Wed, 11 Jan 2023 15:34:08 +0300 Subject: [PATCH 1/3] fix(docker): Validate digest value before calling API --- lib/modules/datasource/docker/index.spec.ts | 28 ++++++++++++++------- lib/modules/datasource/docker/index.ts | 5 +++- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/lib/modules/datasource/docker/index.spec.ts b/lib/modules/datasource/docker/index.spec.ts index 5ccae2c3af5819..1c2026fc883401 100644 --- a/lib/modules/datasource/docker/index.spec.ts +++ b/lib/modules/datasource/docker/index.spec.ts @@ -781,7 +781,8 @@ describe('modules/datasource/docker/index', () => { }); it('supports architecture-specific digest in OCI manifests with media type', async () => { - const currentDigest = 'some-image-digest'; + const currentDigest = + 'sha256:0101010101010101010101010101010101010101010101010101010101010101'; httpMock .scope(authUrl) @@ -855,7 +856,8 @@ describe('modules/datasource/docker/index', () => { }); it('supports architecture-specific digest in OCI manifests without media type', async () => { - const currentDigest = 'some-image-digest'; + const currentDigest = + 'sha256:0101010101010101010101010101010101010101010101010101010101010101'; httpMock .scope(authUrl) @@ -1005,7 +1007,8 @@ describe('modules/datasource/docker/index', () => { }); it('handles error while retrieving image config blob', async () => { - const currentDigest = 'some-image-digest'; + const currentDigest = + 'sha256:0101010101010101010101010101010101010101010101010101010101010101'; httpMock .scope(authUrl) @@ -1058,24 +1061,31 @@ describe('modules/datasource/docker/index', () => { .scope(baseUrl) .get('/', undefined, { badheaders: ['authorization'] }) .reply(200, { token: 'some-token' }) - .head('/library/some-dep/manifests/some-digest') + .head( + '/library/some-dep/manifests/sha256:0101010101010101010101010101010101010101010101010101010101010101' + ) .reply(404, {}); httpMock .scope(baseUrl) .get('/', undefined, { badheaders: ['authorization'] }) .reply(200, '', {}) - .head('/library/some-dep/manifests/some-new-value', undefined, { - badheaders: ['authorization'], - }) + .head( + '/library/some-dep/manifests/sha256:fafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafa', + undefined, + { + badheaders: ['authorization'], + } + ) .reply(401); const res = await getDigest( { datasource: 'docker', depName: 'some-dep', - currentDigest: 'some-digest', + currentDigest: + 'sha256:0101010101010101010101010101010101010101010101010101010101010101', }, - 'some-new-value' + 'sha256:fafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafa' ); expect(res).toBeNull(); }); diff --git a/lib/modules/datasource/docker/index.ts b/lib/modules/datasource/docker/index.ts index 49c98a380288b8..d3d5c6e05c52d2 100644 --- a/lib/modules/datasource/docker/index.ts +++ b/lib/modules/datasource/docker/index.ts @@ -1018,7 +1018,10 @@ export class DockerDatasource extends Datasource { let digest: string | null = null; try { let architecture: string | null | undefined = null; - if (currentDigest) { + if ( + currentDigest && + regEx(/^sha256:[0-9a-f]{64}$/i).test(currentDigest) + ) { architecture = await this.getImageArchitecture( registryHost, dockerRepository, From 41b8836498a733a1580396fe15f8f904e2c45595 Mon Sep 17 00:00:00 2001 From: Sergei Zharinov Date: Wed, 11 Jan 2023 16:10:14 +0300 Subject: [PATCH 2/3] Fix --- lib/modules/datasource/docker/index.ts | 6 ++---- lib/util/string.ts | 5 +++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/modules/datasource/docker/index.ts b/lib/modules/datasource/docker/index.ts index d3d5c6e05c52d2..4e8127e60426ae 100644 --- a/lib/modules/datasource/docker/index.ts +++ b/lib/modules/datasource/docker/index.ts @@ -22,6 +22,7 @@ import type { import { hasKey } from '../../../util/object'; import { regEx } from '../../../util/regex'; import { addSecretForSanitizing } from '../../../util/sanitize'; +import { isDockerDigest } from '../../../util/string'; import { ensurePathPrefix, ensureTrailingSlash, @@ -1018,10 +1019,7 @@ export class DockerDatasource extends Datasource { let digest: string | null = null; try { let architecture: string | null | undefined = null; - if ( - currentDigest && - regEx(/^sha256:[0-9a-f]{64}$/i).test(currentDigest) - ) { + if (currentDigest && isDockerDigest(currentDigest)) { architecture = await this.getImageArchitecture( registryHost, dockerRepository, diff --git a/lib/util/string.ts b/lib/util/string.ts index 4b085d07cbe97b..2ebc23916eb9ea 100644 --- a/lib/util/string.ts +++ b/lib/util/string.ts @@ -1,4 +1,5 @@ import { logger } from '../logger'; +import { regEx } from './regex'; // Return true if the match string is found at index in content export function matchAt( @@ -55,3 +56,7 @@ export function looseEquals( } return a.localeCompare(b, undefined, { sensitivity: 'base' }) === 0; } + +export function isDockerDigest(input: string): boolean { + return regEx(/^sha256:[a-f0-9]{64}$/i).test(input); +} From 662cd87013eaae436630d4ecb3a0b5e91bb5bf0d Mon Sep 17 00:00:00 2001 From: Sergei Zharinov Date: Wed, 11 Jan 2023 16:17:46 +0300 Subject: [PATCH 3/3] Don't use `re2` in this particular case --- lib/util/string.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/util/string.ts b/lib/util/string.ts index 2ebc23916eb9ea..2ef7ae661d3b97 100644 --- a/lib/util/string.ts +++ b/lib/util/string.ts @@ -1,5 +1,4 @@ import { logger } from '../logger'; -import { regEx } from './regex'; // Return true if the match string is found at index in content export function matchAt( @@ -58,5 +57,5 @@ export function looseEquals( } export function isDockerDigest(input: string): boolean { - return regEx(/^sha256:[a-f0-9]{64}$/i).test(input); + return /^sha256:[a-f0-9]{64}$/i.test(input); }