Send push information to trust code out-of-band
The trust code used to parse the console output of `docker push` to extract the digest, tag, and size information and determine what to sign. This is fragile and might give an attacker control over what gets signed if the attacker can find a way to influence what gets printed as part of the push output. This commit sends the push metadata out-of-band. It introduces an `Aux` field in JSONMessage that can carry application-specific data alongside progress updates. Instead of parsing formatted output, the client looks in this field to get the digest, size, and tag from the push. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This commit is contained in:
Aaron Lehmann
parent
486bca6d94
commit
1fe4441875
5 changed files with 36 additions and 7 deletions
|
|
@ -70,16 +70,26 @@ func (sf *StreamFormatter) FormatError(err error) []byte {
|
|||
}
|
||||
|
||||
// FormatProgress formats the progress information for a specified action.
|
||||
func (sf *StreamFormatter) FormatProgress(id, action string, progress *jsonmessage.JSONProgress) []byte {
|
||||
func (sf *StreamFormatter) FormatProgress(id, action string, progress *jsonmessage.JSONProgress, aux interface{}) []byte {
|
||||
if progress == nil {
|
||||
progress = &jsonmessage.JSONProgress{}
|
||||
}
|
||||
if sf.json {
|
||||
var auxJSON *json.RawMessage
|
||||
if aux != nil {
|
||||
auxJSONBytes, err := json.Marshal(aux)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
auxJSON = new(json.RawMessage)
|
||||
*auxJSON = auxJSONBytes
|
||||
}
|
||||
b, err := json.Marshal(&jsonmessage.JSONMessage{
|
||||
Status: action,
|
||||
ProgressMessage: progress.String(),
|
||||
Progress: progress,
|
||||
ID: id,
|
||||
Aux: auxJSON,
|
||||
})
|
||||
if err != nil {
|
||||
return nil
|
||||
|
|
@ -116,7 +126,7 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
|
|||
formatted = out.sf.FormatStatus(prog.ID, prog.Message)
|
||||
} else {
|
||||
jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total}
|
||||
formatted = out.sf.FormatProgress(prog.ID, prog.Action, &jsonProgress)
|
||||
formatted = out.sf.FormatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
|
||||
}
|
||||
_, err := out.out.Write(formatted)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue