From 9c49ca12d641c8d75a0b70ee3f1989b81d760634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 17 Jan 2024 23:29:52 +0100 Subject: [PATCH] Validate digests before using them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If doing it makes sense at all, it should happen before the values are used. Signed-off-by: Miloslav Trmač --- storage/storage_dest.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/storage/storage_dest.go b/storage/storage_dest.go index 07e1d5e1f9..2a668aa595 100644 --- a/storage/storage_dest.go +++ b/storage/storage_dest.go @@ -324,6 +324,13 @@ func (s *storageImageDestination) TryReusingBlobWithOptions(ctx context.Context, // tryReusingBlobAsPending implements TryReusingBlobWithOptions for (digest, size or -1), filling s.blobDiffIDs and other metadata. // The caller must arrange the blob to be eventually committed using s.commitLayer(). func (s *storageImageDestination) tryReusingBlobAsPending(digest digest.Digest, size int64, options *private.TryReusingBlobOptions) (bool, private.ReusedBlob, error) { + if digest == "" { + return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) + } + if err := digest.Validate(); err != nil { + return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) + } + // lock the entire method as it executes fairly quickly s.lock.Lock() defer s.lock.Unlock() @@ -344,13 +351,6 @@ func (s *storageImageDestination) tryReusingBlobAsPending(digest digest.Digest, } } - if digest == "" { - return false, private.ReusedBlob{}, errors.New(`Can not check for a blob with unknown digest`) - } - if err := digest.Validate(); err != nil { - return false, private.ReusedBlob{}, fmt.Errorf("Can not check for a blob with invalid digest: %w", err) - } - // Check if we've already cached it in a file. if size, ok := s.fileSizes[digest]; ok { return true, private.ReusedBlob{