Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-28714

Content validation does not work properly for OCI

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.33.0
    • Fix Version/s: 3.36.0
    • Component/s: Docker
    • Labels:
    • Story Points:
      5
    • Sprint:
      NXRM MadMax Sprint 17, NXRM MadMax Sprint 18, NXRM MadMax Sprint 19
    • Notability:
      2

      Description

      Currently we validate docker layers are either gzip or tar content. Uploads or proxies of anything else will fail.

      This is not consistent with OCI images, which can contain other types of content.

      Example: 

      $ file sha256__*
       sha256__13e86d6c24c6619aa3fe10dffffd116388f3652d5f87315beaaade9e78eb1864: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
       sha256__204cccf259732a35c3ad4df0d011d81706f3069390f32f6f4dd783fa9471cbdd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=xMYTrzayNZSOk_MfmrHz/3sal8jvXOtZs5hkOCgNt/TA2foo7ezIu2to7eqVSY/6CO8iA1nEIxRfLd5Q563, stripped
       sha256__5ed116d10f336bcaf470568b57a6843a6f27e6af59b0054a2c12934095cc9024: JSON data
       sha256__83482e6395a37aa7a80ca6990e13c024e7f40418f0a2bdcf65ed225f896858cb: Mach-O 64-bit executable x86_64
       sha256__d7c22f85958d30142f1ed758cf6a5e0f8121fc3a4eddcb010b54bb883d530a7e: POSIX tar archive

      The OCI specification FAQ says:

      Q: Should I validate the content type of the patch request body?
      A. The content type for blob uploads isn't meaningful since it's consistently the same (application/octet-stream). However, you may so choose to check that the content type is consistent for each chunk in the upload. It would not be logical for it to change part of the way through.

       
      Expected: It should be possible to upload OCI image layers "out of the box", no configuration changes needed. If we can detect that a layer is associated with an OCI image we could be smart about this, and disable validation only for that case. If not, we should just not validate layers. If layer validation is still going to be done disabling content validation in the repository configuration should disable the validation. Whatever is done should be the same for both proxy and hosted repositories.

      Note: Disabling content validation does not provide a workaround, the code in question does not check that flag.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ybulatnikov Eugene Bulatnikov
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Eugene Bulatnikov Eugene Bulatnikov
              Team:
              NXRM - Mad Max
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title