From dd3d939b31e08d7f4e349301efbc281fedd21712 Mon Sep 17 00:00:00 2001
From: Silas Sewell <silas@sewell.org>
Date: Mon, 5 Oct 2015 16:36:33 -0400
Subject: [PATCH] Update tag validation
Fixes #536
---
endpoints/api/tag.py | 5 +++++
endpoints/v1/tag.py | 5 ++++-
static/directives/tag-operations-dialog.html | 4 ++--
test/registry_tests.py | 21 ++++++++++++++++++--
test/test_api_usage.py | 6 ++++++
util/names.py | 4 ++++
6 files changed, 40 insertions(+), 5 deletions(-)
diff --git a/endpoints/api/tag.py b/endpoints/api/tag.py
index b8ad1906a..986893c5d 100644
--- a/endpoints/api/tag.py
+++ b/endpoints/api/tag.py
@@ -8,6 +8,7 @@ from endpoints.api import (resource, nickname, require_repo_read, require_repo_w
from endpoints.api.image import image_view
from data import model
from auth.auth_context import get_authenticated_user
+from util.names import TAG_ERROR, TAG_REGEX
@resource('/v1/repository/<repopath:repository>/tag/')
@@ -85,6 +86,10 @@ class RepositoryTag(RepositoryParamResource):
@validate_json_request('MoveTag')
def put(self, namespace, repository, tag):
""" Change which image a tag points to or create a new tag."""
+
+ if not TAG_REGEX.match(tag):
+ abort(400, TAG_ERROR)
+
image_id = request.get_json()['image']
image = model.image.get_repo_image(namespace, repository, image_id)
if not image:
diff --git a/endpoints/v1/tag.py b/endpoints/v1/tag.py
index 2647f1cf9..70a23e089 100644
--- a/endpoints/v1/tag.py
+++ b/endpoints/v1/tag.py
@@ -5,7 +5,7 @@ import json
from flask import abort, request, jsonify, make_response, session
from app import app
-from util.names import parse_repository_name
+from util.names import TAG_ERROR, TAG_REGEX, parse_repository_name
from auth.auth import process_auth
from auth.permissions import (ReadRepositoryPermission,
ModifyRepositoryPermission)
@@ -56,6 +56,9 @@ def put_tag(namespace, repository, tag):
permission = ModifyRepositoryPermission(namespace, repository)
if permission.can():
+ if not TAG_REGEX.match(tag):
+ abort(400, TAG_ERROR)
+
docker_image_id = json.loads(request.data)
model.tag.create_or_update_tag(namespace, repository, tag, docker_image_id)
diff --git a/static/directives/tag-operations-dialog.html b/static/directives/tag-operations-dialog.html
index a769d5fa1..901a7792c 100644
--- a/static/directives/tag-operations-dialog.html
+++ b/static/directives/tag-operations-dialog.html
@@ -34,7 +34,7 @@
<div ng-show="!addingTag">
<input type="text" class="form-control" id="tagName"
placeholder="Enter tag name"
- ng-model="tagToCreate" ng-pattern="/^([a-z0-9_\.-]){3,30}$/"
+ ng-model="tagToCreate" ng-pattern="/^[\w][\w\.-]{0,127}$/"
ng-disabled="creatingTag" autofocus required>
<div style="margin: 10px; margin-top: 20px;"
@@ -121,4 +121,4 @@
<span class="label label-default tag">{{ revertTagInfo.tag.name }}</span> to image
<span class="image-id">{{ revertTagInfo.image_id.substr(0, 12) }}?</span>
</div>
-</div>
\ No newline at end of file
+</div>
diff --git a/test/registry_tests.py b/test/registry_tests.py
index e6f515b6c..cb7cf412d 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -212,8 +212,7 @@ class RegistryTestCase(LiveServerTestCase):
# PUT /v1/repositories/{namespace}/{repository}/tags/latest
- self.conduct('PUT', '/v1/repositories/%s/%s/tags/latest' % (namespace, repository),
- data='"' + images[0]['id'] + '"')
+ self.do_tag(namespace, repository, 'latest', images[0]['id'])
# PUT /v1/repositories/{namespace}/{repository}/images
self.conduct('PUT', '/v1/repositories/%s/%s/images' % (namespace, repository),
@@ -246,6 +245,10 @@ class RegistryTestCase(LiveServerTestCase):
self.conduct('GET', image_prefix + 'json')
self.conduct('GET', image_prefix + 'layer')
+ def do_tag(self, namespace, repository, tag, image_id, expected_code=200):
+ self.conduct('PUT', '/v1/repositories/%s/%s/tags/%s' % (namespace, repository, tag),
+ data='"%s"' % image_id, expected_code=expected_code)
+
def conduct_api_login(self, username, password):
self.conduct('POST', '/api/v1/signin',
data=json.dumps(dict(username=username, password=password)),
@@ -437,5 +440,19 @@ class RegistryTests(RegistryTestCase):
# org.
self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
+ def test_tag_validation(self):
+ image_id = 'onlyimagehere'
+ images = [{
+ 'id': image_id
+ }]
+ self.do_push('public', 'newrepo', 'public', 'password', images)
+ self.do_tag('public', 'newrepo', '1', image_id)
+ self.do_tag('public', 'newrepo', 'x' * 128, image_id)
+ self.do_tag('public', 'newrepo', '', image_id, expected_code=400)
+ self.do_tag('public', 'newrepo', 'x' * 129, image_id, expected_code=400)
+ self.do_tag('public', 'newrepo', '.fail', image_id, expected_code=400)
+ self.do_tag('public', 'newrepo', '-fail', image_id, expected_code=400)
+
+
if __name__ == '__main__':
unittest.main()
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index cfe0aa8c0..1dba15169 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -2188,6 +2188,12 @@ class TestListAndDeleteTag(ApiTestCase):
self.assertEquals(staging_images, json['images'])
+ # Require a valid tag name.
+ self.putResponse(RepositoryTag,
+ params=dict(repository=ADMIN_ACCESS_USER + '/complex', tag='-fail'),
+ data=dict(image=staging_images[0]['id']),
+ expected_code=400)
+
# Add a new tag to the staging image.
self.putResponse(RepositoryTag,
params=dict(repository=ADMIN_ACCESS_USER + '/complex', tag='sometag'),
diff --git a/util/names.py b/util/names.py
index 376c74b21..4bb460c6a 100644
--- a/util/names.py
+++ b/util/names.py
@@ -6,6 +6,10 @@ from uuid import uuid4
REPOSITORY_NAME_REGEX = re.compile(r'^[\.a-zA-Z0-9_-]+$')
+TAG_REGEX = re.compile(r'^[\w][\w\.-]{0,127}$')
+TAG_ERROR = ('Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", '
+ 'and can contain 1-128 characters')
+
def parse_namespace_repository(repository, include_tag=False):
parts = repository.rstrip('/').split('/', 1)
if len(parts) < 2: