From 4d7e69c248fb937a22f65cfb6dcf1b07ddb20fb4 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Tue, 19 Aug 2025 03:21:18 +1000
Subject: [PATCH] oci: do not require top-level mediaType

The top-level mediaType member was added in response to CVE-2021-41190,
but while it is suggested (SHOULD) it is not required (MUST) and some
older tools do not fill this mediaType field (such as skopeo, at least
for "index.json").

I plan to use these jq-based validation scripts for umoci, but
incompatibility with skopeo is a little annoying (since that is what we
use to pull images for our tests). We can work around it for
"index.json", but it seems incorrect to claim that an image is invalid
because of a missing suggested field.

Instead, add an informational message but still permit such images.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 oci.jq | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/oci.jq b/oci.jq
index 7b9794e..436ccf9 100644
--- a/oci.jq
+++ b/oci.jq
@@ -250,11 +250,28 @@ def validate_oci_subject_haver:
 	else . end
 ;
 
+# Some objects have .mediaType fields which SHOULD NOT be unset but are still
+# valid if they are missing, so we should emit a warning if they are unset but
+# do not error out.
+# usage: same as validate_IN(.mediaType; options).
+# https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh (CVE-2021-41190)
+# https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md
+# https://github.com/opencontainers/image-spec/blob/v1.1.1/image-index.md
+def validate_optional_mediatype(options):
+	if has("mediaType") then
+		validate_IN(.mediaType; options)
+	else [
+		# Output a warning message.
+		("warning: top-level mediaType field is missing from object (see CVE-2021-41190)\nexpected one of:\n\t\([ options | tojson ] | join("\n\t"))\n" | stderr | empty),
+		.
+	] | last end
+;
+
 # https://github.com/opencontainers/image-spec/blob/v1.1.1/image-index.md
 def validate_oci_index($opt):
 	validate_IN(type; "object")
 	| validate_IN(.schemaVersion; 2)
-	| validate_IN(.mediaType; media_types_index)
+	| validate_optional_mediatype(media_types_index)
 	| if has("artifactType") then
 		validate(.artifactType; type == "string")
 		| validate_IN(.artifactType; null) # TODO acceptable values? (this check intentionally contradicts the one above so artifactType generates an error)
@@ -296,7 +313,7 @@ def validate_oci_index: validate_oci_index({});
 def validate_oci_image($opt):
 	validate_IN(type; "object")
 	| validate_IN(.schemaVersion; 2)
-	| validate_IN(.mediaType; media_types_image)
+	| validate_optional_mediatype(media_types_image)
 	| if has("artifactType") then
 		validate(.artifactType; type == "string")
 		| validate_IN(.artifactType;