From 64cb04676cf40c8eeee2f75f8105dea38cdc3964 Mon Sep 17 00:00:00 2001
From: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Date: Thu, 18 Nov 2021 14:59:45 +0900
Subject: [PATCH 1/2] go.mod: Bump up containerd to the latest

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 cmd/go.mod  | 4 ++--
 cmd/go.sum  | 8 ++++----
 go.mod      | 2 +-
 go.sum      | 4 ++--
 ipfs/go.mod | 2 +-
 ipfs/go.sum | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/cmd/go.mod b/cmd/go.mod
index acf7d6229..1ba20b9b3 100644
--- a/cmd/go.mod
+++ b/cmd/go.mod
@@ -3,8 +3,8 @@ module github.com/containerd/stargz-snapshotter/cmd
 go 1.16
 
 require (
-	github.com/containerd/containerd v1.6.0-beta.2
-	github.com/containerd/containerd/api v1.6.0-beta.1.0.20211111224154-bd81f8a39d85
+	github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a
+	github.com/containerd/containerd/api v1.6.0-beta.2.0.20211117185425-a776a27af54a
 	github.com/containerd/go-cni v1.1.1-0.20211026134925-aa8bf14323a5
 	github.com/containerd/stargz-snapshotter v0.10.0
 	github.com/containerd/stargz-snapshotter/estargz v0.10.0
diff --git a/cmd/go.sum b/cmd/go.sum
index 44c1aa29a..b330bfb36 100644
--- a/cmd/go.sum
+++ b/cmd/go.sum
@@ -213,11 +213,11 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.6.0-beta.2 h1:vGPOMIfbInmhBtD2inCTfVYf/aMzhDkOwIbcQtv77Lo=
-github.com/containerd/containerd v1.6.0-beta.2/go.mod h1:0AwP8LDBKEIaCT48IETmHkY1+YX7c/ALcN1kkLGBLtk=
+github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a h1:iqzPe/frSKbx/J9pDkZapSyXIDQpzEAZ01tJhQ+tAlE=
+github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a/go.mod h1:0AwP8LDBKEIaCT48IETmHkY1+YX7c/ALcN1kkLGBLtk=
 github.com/containerd/containerd/api v1.6.0-beta.1/go.mod h1:XDzkCoLyj2hn24f13Jcuq/U2bHb2LjJ2qWlklgL0Ofg=
-github.com/containerd/containerd/api v1.6.0-beta.1.0.20211111224154-bd81f8a39d85 h1:HstfIMyCr8XvSNE+UyWDR8WVD1aBhD+mLqhvUfal97c=
-github.com/containerd/containerd/api v1.6.0-beta.1.0.20211111224154-bd81f8a39d85/go.mod h1:fkctx1jj7m92mQDI6mIEXF+SH3tt2Rv/azUHqrOxYPc=
+github.com/containerd/containerd/api v1.6.0-beta.2.0.20211117185425-a776a27af54a h1:hTp0CAfL0LARTyQ280r5Hre+sfeGfJxAysvxEraA9GY=
+github.com/containerd/containerd/api v1.6.0-beta.2.0.20211117185425-a776a27af54a/go.mod h1:fkctx1jj7m92mQDI6mIEXF+SH3tt2Rv/azUHqrOxYPc=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
diff --git a/go.mod b/go.mod
index 2aeba7710..63e98807b 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.16
 
 require (
 	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.6.0-beta.2
+	github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a
 	github.com/containerd/continuity v0.2.1
 	github.com/containerd/stargz-snapshotter/estargz v0.10.0
 	github.com/docker/cli v20.10.10+incompatible
diff --git a/go.sum b/go.sum
index e1d134ceb..2cbdfa7e1 100644
--- a/go.sum
+++ b/go.sum
@@ -178,8 +178,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.6.0-beta.2 h1:vGPOMIfbInmhBtD2inCTfVYf/aMzhDkOwIbcQtv77Lo=
-github.com/containerd/containerd v1.6.0-beta.2/go.mod h1:0AwP8LDBKEIaCT48IETmHkY1+YX7c/ALcN1kkLGBLtk=
+github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a h1:iqzPe/frSKbx/J9pDkZapSyXIDQpzEAZ01tJhQ+tAlE=
+github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a/go.mod h1:0AwP8LDBKEIaCT48IETmHkY1+YX7c/ALcN1kkLGBLtk=
 github.com/containerd/containerd/api v1.6.0-beta.1 h1:WsGkrMHRXh866so1QnzO5THUBaBsFir4WLX70m87RsI=
 github.com/containerd/containerd/api v1.6.0-beta.1/go.mod h1:XDzkCoLyj2hn24f13Jcuq/U2bHb2LjJ2qWlklgL0Ofg=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
diff --git a/ipfs/go.mod b/ipfs/go.mod
index 0e206412b..56b5e6583 100644
--- a/ipfs/go.mod
+++ b/ipfs/go.mod
@@ -3,7 +3,7 @@ module github.com/containerd/stargz-snapshotter/ipfs
 go 1.16
 
 require (
-	github.com/containerd/containerd v1.6.0-beta.2
+	github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a
 	github.com/ipfs/go-cid v0.1.0
 	github.com/ipfs/go-ipfs-files v0.0.9
 	github.com/ipfs/interface-go-ipfs-core v0.5.2
diff --git a/ipfs/go.sum b/ipfs/go.sum
index 1c9293a9f..e8812ed99 100644
--- a/ipfs/go.sum
+++ b/ipfs/go.sum
@@ -205,8 +205,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
-github.com/containerd/containerd v1.6.0-beta.2 h1:vGPOMIfbInmhBtD2inCTfVYf/aMzhDkOwIbcQtv77Lo=
-github.com/containerd/containerd v1.6.0-beta.2/go.mod h1:0AwP8LDBKEIaCT48IETmHkY1+YX7c/ALcN1kkLGBLtk=
+github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a h1:iqzPe/frSKbx/J9pDkZapSyXIDQpzEAZ01tJhQ+tAlE=
+github.com/containerd/containerd v1.6.0-beta.2.0.20211117185425-a776a27af54a/go.mod h1:0AwP8LDBKEIaCT48IETmHkY1+YX7c/ALcN1kkLGBLtk=
 github.com/containerd/containerd/api v1.6.0-beta.1 h1:WsGkrMHRXh866so1QnzO5THUBaBsFir4WLX70m87RsI=
 github.com/containerd/containerd/api v1.6.0-beta.1/go.mod h1:XDzkCoLyj2hn24f13Jcuq/U2bHb2LjJ2qWlklgL0Ofg=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=

From e1b5341ebcab008433c24a9a73263f05974d8c7d Mon Sep 17 00:00:00 2001
From: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Date: Thu, 18 Nov 2021 15:35:47 +0900
Subject: [PATCH 2/2] Make manifest detection stricter

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 store/refs.go                   | 29 +++++++++++++++-----
 util/containerdutil/manifest.go | 48 +++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 6 deletions(-)

diff --git a/store/refs.go b/store/refs.go
index 66ca21f8f..fba122edc 100644
--- a/store/refs.go
+++ b/store/refs.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sync"
@@ -32,6 +33,7 @@ import (
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
 	"github.com/containerd/stargz-snapshotter/fs/source"
+	"github.com/containerd/stargz-snapshotter/util/containerdutil"
 	"github.com/containerd/stargz-snapshotter/util/lrucache"
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -250,10 +252,27 @@ func fetchManifestPlatform(ctx context.Context, fetcher remotes.Fetcher, desc oc
 	var manifest ocispec.Manifest
 	switch desc.MediaType {
 	case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
-		err = json.NewDecoder(r).Decode(&manifest)
+		p, err := ioutil.ReadAll(r)
+		if err != nil {
+			return ocispec.Manifest{}, err
+		}
+		if err := containerdutil.ValidateMediaType(p, desc.MediaType); err != nil {
+			return ocispec.Manifest{}, err
+		}
+		if err := json.Unmarshal(p, &manifest); err != nil {
+			return ocispec.Manifest{}, err
+		}
+		return manifest, nil
 	case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
 		var index ocispec.Index
-		if err = json.NewDecoder(r).Decode(&index); err != nil {
+		p, err := ioutil.ReadAll(r)
+		if err != nil {
+			return ocispec.Manifest{}, err
+		}
+		if err := containerdutil.ValidateMediaType(p, desc.MediaType); err != nil {
+			return ocispec.Manifest{}, err
+		}
+		if err = json.Unmarshal(p, &index); err != nil {
 			return ocispec.Manifest{}, err
 		}
 		var target ocispec.Descriptor
@@ -273,9 +292,7 @@ func fetchManifestPlatform(ctx context.Context, fetcher remotes.Fetcher, desc oc
 		if !found {
 			return ocispec.Manifest{}, fmt.Errorf("no manifest found for platform")
 		}
-		manifest, err = fetchManifestPlatform(ctx, fetcher, target, platform)
-	default:
-		err = fmt.Errorf("unknown mediatype %q", desc.MediaType)
+		return fetchManifestPlatform(ctx, fetcher, target, platform)
 	}
-	return manifest, err
+	return ocispec.Manifest{}, fmt.Errorf("unknown mediatype %q", desc.MediaType)
 }
diff --git a/util/containerdutil/manifest.go b/util/containerdutil/manifest.go
index ec77017fa..4f9f991cc 100644
--- a/util/containerdutil/manifest.go
+++ b/util/containerdutil/manifest.go
@@ -19,6 +19,7 @@ package containerdutil
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"sort"
 
 	"github.com/containerd/containerd/content"
@@ -42,6 +43,9 @@ func ManifestDesc(ctx context.Context, provider content.Provider, image ocispec.
 			if err != nil {
 				return nil, err
 			}
+			if err := ValidateMediaType(p, desc.MediaType); err != nil {
+				return nil, err
+			}
 			var manifest ocispec.Manifest
 			if err := json.Unmarshal(p, &manifest); err != nil {
 				return nil, err
@@ -71,6 +75,9 @@ func ManifestDesc(ctx context.Context, provider content.Provider, image ocispec.
 			if err != nil {
 				return nil, err
 			}
+			if err := ValidateMediaType(p, desc.MediaType); err != nil {
+				return nil, err
+			}
 			var idx ocispec.Index
 			if err := json.Unmarshal(p, &idx); err != nil {
 				return nil, err
@@ -109,3 +116,44 @@ func ManifestDesc(ctx context.Context, provider content.Provider, image ocispec.
 	}
 	return m[0], nil
 }
+
+// Forked from github.com/containerd/containerd/images/image.go
+// commit: a776a27af54a803657d002e7574a4425b3949f56
+
+// unknownDocument represents a manifest, manifest list, or index that has not
+// yet been validated.
+type unknownDocument struct {
+	MediaType string          `json:"mediaType,omitempty"`
+	Config    json.RawMessage `json:"config,omitempty"`
+	Layers    json.RawMessage `json:"layers,omitempty"`
+	Manifests json.RawMessage `json:"manifests,omitempty"`
+	FSLayers  json.RawMessage `json:"fsLayers,omitempty"` // schema 1
+}
+
+// ValidateMediaType returns an error if the byte slice is invalid JSON or if
+// the media type identifies the blob as one format but it contains elements of
+// another format.
+func ValidateMediaType(b []byte, mt string) error {
+	var doc unknownDocument
+	if err := json.Unmarshal(b, &doc); err != nil {
+		return err
+	}
+	if len(doc.FSLayers) != 0 {
+		return fmt.Errorf("media-type: schema 1 not supported")
+	}
+	switch mt {
+	case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+		if len(doc.Manifests) != 0 ||
+			doc.MediaType == images.MediaTypeDockerSchema2ManifestList ||
+			doc.MediaType == ocispec.MediaTypeImageIndex {
+			return fmt.Errorf("media-type: expected manifest but found index (%s)", mt)
+		}
+	case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+		if len(doc.Config) != 0 || len(doc.Layers) != 0 ||
+			doc.MediaType == images.MediaTypeDockerSchema2Manifest ||
+			doc.MediaType == ocispec.MediaTypeImageManifest {
+			return fmt.Errorf("media-type: expected index but found manifest (%s)", mt)
+		}
+	}
+	return nil
+}