casext: add handling for empty JSON media-type

cyphar · cyphar · commit 107f4f030a40 · 2025-10-02T04:43:10.000+10:00
While this is a fairly hypothetical problem, the spec explicitly defines
what "application/vnd.oci.empty.v1+json" should look like and so we
should validate it.

Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/internal/errors.go b/internal/errors.go
@@ -25,3 +25,8 @@ import (
 // ErrUnimplemented is returned as a source error for umoci features that are
 // not yet implemented.
 var ErrUnimplemented = errors.New("unimplemented umoci feature")
+
+// ErrInvalidEmptyJSON is returned from the mediatype parser if a descriptor
+// with the "application/vnd.oci.empty.v1+json" media-type has any value other
+// than "{}".
+var ErrInvalidEmptyJSON = errors.New("empty json blob is invalid")
diff --git a/oci/casext/blob.go b/oci/casext/blob.go
@@ -54,6 +54,7 @@ type Blob struct {
 	// ispec.MediaTypeImageLayerNonDistributable => io.ReadCloser
 	// ispec.MediaTypeImageLayerNonDistributableGzip => io.ReadCloser
 	// ispec.MediaTypeImageConfig => ispec.Image
+	// ispec.MediaTypeEmptyJSON => struct{}
 	// unknown => io.ReadCloser
 	Data any
 }
diff --git a/oci/casext/blob_test.go b/oci/casext/blob_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/opencontainers/umoci/internal"
 	"github.com/opencontainers/umoci/pkg/hardening"
 )
 
@@ -50,6 +51,16 @@ func TestDescriptorEmbeddedData(t *testing.T) {
 			descriptor:   ispec.DescriptorEmptyJSON,
 			expectedData: struct{}{},
 		},
+		{
+			name: "EmptyJSON-BadData",
+			descriptor: ispec.Descriptor{
+				MediaType: ispec.MediaTypeEmptyJSON,
+				Digest:    "sha256:74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b",
+				Size:      4,
+				Data:      []byte("null"),
+			},
+			expectedErr: internal.ErrInvalidEmptyJSON,
+		},
 		{
 			name: "BadDigest",
 			descriptor: ispec.Descriptor{
diff --git a/oci/casext/mediatype/parse.go b/oci/casext/mediatype/parse.go
@@ -19,6 +19,7 @@
 package mediatype
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -27,6 +28,8 @@ import (
 	"sync"
 
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"github.com/opencontainers/umoci/internal"
 )
 
 // ErrNilReader is returned by the parsers in this package when they are called
@@ -206,11 +209,35 @@ func manifestParser(rdr io.Reader) (any, error) {
 	return manifest.Manifest, nil
 }
 
+// emptyJSONParser only parses "application/vnd.oci.empty.v1+json" and
+// validates that it is actually "{}".
+func emptyJSONParser(rdr io.Reader) (any, error) {
+	if rdr == nil {
+		// must not return a nil interface{}
+		return struct{}{}, ErrNilReader
+	}
+
+	// The only valid value for this blob.
+	const emptyJSON = `{}`
+
+	// Try to read at least one more byte than emptyJSON so if there is some
+	// trailing data we will error out without needing to read any more.
+	data, err := io.ReadAll(io.LimitReader(rdr, int64(len(emptyJSON))+1))
+	if err != nil {
+		return nil, err
+	}
+	if !bytes.Equal(data, []byte(emptyJSON)) {
+		return nil, internal.ErrInvalidEmptyJSON
+	}
+	return struct{}{}, nil
+}
+
 // Register the core image-spec types.
 func init() {
 	RegisterParser(ispec.MediaTypeDescriptor, JSONParser[ispec.Descriptor])
 	RegisterParser(ispec.MediaTypeImageIndex, indexParser)
 	RegisterParser(ispec.MediaTypeImageConfig, JSONParser[ispec.Image])
+	RegisterParser(ispec.MediaTypeEmptyJSON, emptyJSONParser)
 
 	RegisterTarget(ispec.MediaTypeImageManifest)
 	RegisterParser(ispec.MediaTypeImageManifest, manifestParser)
diff --git a/oci/casext/mediatype/parse_test.go b/oci/casext/mediatype/parse_test.go
@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+ * umoci: Umoci Modifies Open Containers' Images
+ * Copyright (C) 2016-2025 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package mediatype
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/opencontainers/umoci/internal"
+)
+
+// TODO: Add more parsing tests.
+
+func TestParseEmptyJSON(t *testing.T) {
+	for _, test := range []struct {
+		name         string
+		data         []byte
+		expectedBlob any
+		expectedErr  error
+	}{
+		{
+			name:         "Good",
+			data:         []byte("{}"),
+			expectedBlob: struct{}{},
+		},
+		{
+			name:        "Bad-Empty",
+			data:        []byte{},
+			expectedErr: internal.ErrInvalidEmptyJSON,
+		},
+		{
+			name:        "Bad-Short",
+			data:        []byte(`0`),
+			expectedErr: internal.ErrInvalidEmptyJSON,
+		},
+		{
+			name:        "Bad-Suffix",
+			data:        []byte("{}\n"),
+			expectedErr: internal.ErrInvalidEmptyJSON,
+		},
+		{
+			name:        "Bad",
+			data:        []byte("The quick brown fox jumps over the lazy dog.\n"),
+			expectedErr: internal.ErrInvalidEmptyJSON,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			got, err := emptyJSONParser(bytes.NewBuffer(test.data))
+			require.ErrorIsf(t, err, test.expectedErr, "emptyJSONParser(%q)", string(test.data))
+			assert.Equalf(t, test.expectedBlob, got, "emptyJSONParser(%q)", string(test.data))
+		})
+	}
+}
diff --git a/oci/casext/verified_blob.go b/oci/casext/verified_blob.go
@@ -27,6 +27,7 @@ import (
 
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 
+	"github.com/opencontainers/umoci/internal"
 	"github.com/opencontainers/umoci/pkg/hardening"
 )
 
@@ -42,6 +43,18 @@ func (e Engine) GetVerifiedBlob(ctx context.Context, descriptor ispec.Descriptor
 	if descriptor.Size < 0 {
 		return nil, fmt.Errorf("invalid descriptor: %w", errInvalidDescriptorSize)
 	}
+	// The empty blob descriptor only has one valid value so we should validate
+	// it before allowing it to be opened.
+	if descriptor.MediaType == ispec.MediaTypeEmptyJSON {
+		if descriptor.Digest != ispec.DescriptorEmptyJSON.Digest ||
+			descriptor.Size != ispec.DescriptorEmptyJSON.Size {
+			return nil, fmt.Errorf("invalid descriptor: %w", internal.ErrInvalidEmptyJSON)
+		}
+		if descriptor.Data != nil &&
+			!bytes.Equal(descriptor.Data, ispec.DescriptorEmptyJSON.Data) {
+			return nil, fmt.Errorf("invalid descriptor: %w", internal.ErrInvalidEmptyJSON)
+		}
+	}
 	// Embedded data.
 	if descriptor.Data != nil {
 		// If the digest is small enough to fit in the descriptor, we can

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ type Blob struct {`
`54`	`54`	`// ispec.MediaTypeImageLayerNonDistributable => io.ReadCloser`
`55`	`55`	`// ispec.MediaTypeImageLayerNonDistributableGzip => io.ReadCloser`
`56`	`56`	`// ispec.MediaTypeImageConfig => ispec.Image`
	`57`	`+ // ispec.MediaTypeEmptyJSON => struct{}`
`57`	`58`	`// unknown => io.ReadCloser`
`58`	`59`	`Data any`
`59`	`60`	`}`