diff --git a/docs/handlers/api_test.go b/docs/handlers/api_test.go index c5683dfa3..7f52d13d7 100644 --- a/docs/handlers/api_test.go +++ b/docs/handlers/api_test.go @@ -804,6 +804,14 @@ func testManifestAPI(t *testing.T, env *testEnv, args manifestArgs) (*testEnv, m BlobSum: "qwer", }, }, + History: []schema1.History{ + { + V1Compatibility: "", + }, + { + V1Compatibility: "", + }, + }, } resp = putManifest(t, "putting unsigned manifest", manifestURL, unsignedManifest) @@ -999,6 +1007,19 @@ func testManifestAPI(t *testing.T, env *testEnv, args manifestArgs) (*testEnv, m t.Fatalf("tag not as expected: %q != %q", tagsResponse.Tags[0], tag) } + // Attempt to put a manifest with mismatching FSLayer and History array cardinalities + + unsignedManifest.History = append(unsignedManifest.History, schema1.History{ + V1Compatibility: "", + }) + invalidSigned, err := schema1.Sign(unsignedManifest, env.pk) + if err != nil { + t.Fatalf("error signing manifest") + } + + resp = putManifest(t, "putting invalid signed manifest", manifestDigestURL, invalidSigned) + checkResponse(t, "putting invalid signed manifest", resp, http.StatusBadRequest) + return env, args } @@ -1432,8 +1453,10 @@ func createRepository(env *testEnv, t *testing.T, imageName string, tag string) { BlobSum: "asdf", }, + }, + History: []schema1.History{ { - BlobSum: "qwer", + V1Compatibility: "", }, }, } @@ -1499,6 +1522,7 @@ func TestRegistryAsCacheMutationAPIs(t *testing.T) { Name: imageName, Tag: tag, FSLayers: []schema1.FSLayer{}, + History: []schema1.History{}, } sm, err := schema1.Sign(m, env.pk) diff --git a/docs/storage/manifeststore.go b/docs/storage/manifeststore.go index db49aaa43..d161fb5a5 100644 --- a/docs/storage/manifeststore.go +++ b/docs/storage/manifeststore.go @@ -110,6 +110,11 @@ func (ms *manifestStore) verifyManifest(ctx context.Context, mnfst *schema1.Sign errs = append(errs, fmt.Errorf("repository name does not match manifest name")) } + if len(mnfst.History) != len(mnfst.FSLayers) { + errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d", + len(mnfst.History), len(mnfst.FSLayers))) + } + if _, err := schema1.Verify(mnfst); err != nil { switch err { case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey: diff --git a/docs/storage/manifeststore_test.go b/docs/storage/manifeststore_test.go index 30126e4bb..51370e173 100644 --- a/docs/storage/manifeststore_test.go +++ b/docs/storage/manifeststore_test.go @@ -98,6 +98,10 @@ func TestManifestStorage(t *testing.T) { m.FSLayers = append(m.FSLayers, schema1.FSLayer{ BlobSum: dgst, }) + m.History = append(m.History, schema1.History{ + V1Compatibility: "", + }) + } pk, err := libtrust.GenerateECP256PrivateKey()