Do not allow empty hashes for the Target role (#721)

rdimitrov · web-flow · commit 17b4808cf953 · 2026-01-26T15:01:15.000+01:00
Signed-off-by: Radoslav Dimitrov &lt;radoslav@stacklok.com&gt;
diff --git a/metadata/marshal.go b/metadata/marshal.go
@@ -230,6 +230,10 @@ func (signed *TargetFiles) UnmarshalJSON(data []byte) error {
 	if err := json.Unmarshal(data, &s); err != nil {
 		return err
 	}
+	// Per TUF spec, hashes are mandatory for target files
+	if len(s.Hashes) == 0 {
+		return fmt.Errorf("hashes must not be empty for target files")
+	}
 	*signed = TargetFiles(s)
 
 	var dict map[string]any
diff --git a/metadata/metadata.go b/metadata/metadata.go
@@ -458,6 +458,10 @@ func (f *MetaFiles) VerifyLengthHashes(data []byte) error {
 // VerifyLengthHashes checks whether the TargetFiles data matches its corresponding
 // length and hashes
 func (f *TargetFiles) VerifyLengthHashes(data []byte) error {
+	// Per TUF spec, hashes are mandatory for target files
+	if len(f.Hashes) == 0 {
+		return &ErrLengthOrHashMismatch{Msg: "hashes must not be empty for target files"}
+	}
 	err := verifyHashes(data, f.Hashes)
 	if err != nil {
 		return err
diff --git a/metadata/metadata_test.go b/metadata/metadata_test.go
@@ -666,13 +666,13 @@ func TestVerifyLengthHashesTargetFiles(t *testing.T) {
 	targetFiles := TargetFile()
 	targetFiles.Hashes = map[string]HexBytes{}
 
+	// Per TUF spec, empty hashes must be rejected
 	data := []byte{}
 	err := targetFiles.VerifyLengthHashes(data)
-	assert.NoError(t, err)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "hashes must not be empty")
 
 	data = []byte("some data")
-	err = targetFiles.VerifyLengthHashes(data)
-	assert.Error(t, err, "length/hash verification error: length verification failed - expected 0, got 9")
 
 	h32 := sha256.Sum256(data)
 	h := h32[:]
@@ -712,3 +712,27 @@ func TestVerifyLengthHashesMetaFiles(t *testing.T) {
 	err = metaFile.VerifyLengthHashes(incorrectData)
 	assert.Error(t, err, "length/hash verification error: length verification failed - expected 0, got 9")
 }
+
+func TestTargetFilesEmptyHashesRejected(t *testing.T) {
+	// Per TUF spec, hashes are mandatory for target files.
+	// Targets metadata with empty hashes should be rejected at parse time.
+	targetsJSON := []byte(`{
+		"signatures": [],
+		"signed": {
+			"_type": "targets",
+			"expires": "2030-08-15T14:30:45Z",
+			"spec_version": "1.0.31",
+			"targets": {
+				"test.txt": {
+					"hashes": {},
+					"length": 100
+				}
+			},
+			"version": 1
+		}
+	}`)
+
+	_, err := Targets().FromBytes(targetsJSON)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "hashes must not be empty")
+}
