Perform more strict validation of *all* media types

tianon · tianon · commit 057b5986a3e5 · 2023-01-31T13:03:50.000-08:00
Docker media types inside OCI media types is semantically fine (and Docker sure doesn't care), but technically invalid, so this increases our validation from just the manifest media type all the way down to the config and layer media types also.
diff --git a/cmd/bashbrew/oci-builder.go b/cmd/bashbrew/oci-builder.go
@@ -163,7 +163,15 @@ func ociImportBuild(tags []string, commit, dir, file string) error {
 	}
 
 	otherBlobs := append([]imagespec.Descriptor{manifest.Config}, manifest.Layers...)
-	for _, blob := range otherBlobs {
+	for i, blob := range otherBlobs {
+		if i == 0 && blob.MediaType != imagespec.MediaTypeImageConfig {
+			return fmt.Errorf("unsupported mediaType %q for config descriptor %s", blob.MediaType, errFileStr(string(blob.Digest)))
+		} else if i != 0 && blob.MediaType != imagespec.MediaTypeImageLayer && blob.MediaType != imagespec.MediaTypeImageLayerGzip && blob.MediaType != imagespec.MediaTypeImageLayerZstd {
+			return fmt.Errorf("unsupported mediaType %q for layer descriptor %s", blob.MediaType, errFileStr(string(blob.Digest)))
+		}
+		if blob.Size < 0 {
+			return fmt.Errorf("invalid size %d in blob descriptor %s", blob.Size, errFileStr(string(blob.Digest)))
+		}
 		if err := importOCIBlob(ctx, cs, fs, blob); err != nil {
 			return fmt.Errorf("failed to import blob %s: %w", errFileStr(string(blob.Digest)), err)
 		}
