Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18304

Docker content validation against certain Etag header value formats may fail

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.14.0
    • Fix Version/s: 3.15.0
    • Component/s: Docker
    • Story Points:
      3

      Description

      The content validation added via ---NEXUS-16242--- uses the ETag header.

      Dockerhub always returns ETag in the "algorithm:checksum" format.  But in general the format of the Etag header cannot be relied on, it's just a generic identifier.  This causes our validation to break when the ETag is in a format which is not compatible with Docker digests:

      Example received header:

      2018-11-01 18:24:37,850+0000 DEBUG [qtp639366847-55651]  example org.apache.http.headers - http-outgoing-42 << ETag: b558e108382f75d3cb440cec3bdaca8fa4bbfe30

      The exception caused by this in a Docker proxy repository:

      2018-11-01 18:24:37,861+0000 WARN [qtp639366847-55651] example org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/build/asap/manifests/latest
      java.lang.IllegalArgumentException: Digest must be formed as 'alg:hex': b558e108382f75d3cb440cec3bdaca8fa4bbfe30
      at com.google.common.base.Preconditions.checkArgument(Preconditions.java:210)
      at org.sonatype.nexus.repository.docker.internal.DockerDigest.parse(DockerDigest.java:71)
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.fetchTagDigestByContentDigest(DockerProxyFacetImpl.java:916)

      FWIW, it seems the Docker-Content-Digest's format can be relied on:

      https://docs.docker.com/registry/spec/api/#content-digests

      2018-11-01 18:24:37,851+0000 DEBUG [qtp639366847-55651] example org.apache.http.headers - http-outgoing-42 << Docker-Content-Digest: sha256:9030d11b2bf8181a39b010c27359a7557c753c7f5272211ca2c12ec02656a25b

      Note that this problem causes a Docker proxy which has Artifactory as its remote to fail, since Artifactory does not use the "algorithm:checksum" format in its ETag headers.

        Attachments

          Activity

            People

            Assignee:
            moncef Moncef Ben-Soula
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Joe Tom Joe Tom
            Team:
            NXRM - Cypher
            Votes:
            3 Vote for this issue
            Watchers:
            11 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title