Merge pull request #3315 from quay/joseph.schorr/QUAY-1266/manifestlist-validation

Add architecture validation to manifest lists that contain schema 1 manifests
2019-02-27 18:32:21 -05:00 · 2019-02-27 18:32:21 -05:00 · 9d3543a353
commit 9d3543a353
parent dbe64c8327 f0f2d9cdf4
9 changed files with 110 additions and 6 deletions
--- a/data/model/oci/manifest.py
+++ b/data/model/oci/manifest.py
@ -74,8 +74,15 @@ def get_or_create_manifest(repository_id, manifest_interface_instance, storage):


 def _create_manifest(repository_id, manifest_interface_instance, storage):
-  # Load, parse and get/create the child manifests, if any.
+  # Validate the manifest.
  retriever = RepositoryContentRetriever.for_repository(repository_id, storage)
+  try:
+    manifest_interface_instance.validate(retriever)
+  except (ManifestException, MalformedSchema2ManifestList, BlobDoesNotExist, IOError):
+    logger.exception('Could not validate manifest `%s`', manifest_interface_instance.digest)
+    return None
+
+  # Load, parse and get/create the child manifests, if any.
  child_manifest_refs = manifest_interface_instance.child_manifests(retriever)
  child_manifest_rows = {}
  child_manifest_label_dicts = []