Add verb security tests and fix small issues
This commit is contained in:
Joseph Schorr
parent
d5fa2ad0c0
commit
df1e7f90e0
4 changed files with 206 additions and 4 deletions
|
|
@ -176,7 +176,7 @@ def _verify_repo_verb(_, namespace, repo_name, tag, verb, checker=None):
|
|||
if tag_image is None:
|
||||
abort(404)
|
||||
|
||||
if repo.kind != 'image':
|
||||
if repo is not None and repo.kind != 'image':
|
||||
abort(405)
|
||||
|
||||
# If there is a data checker, call it first.
|
||||
|
|
@ -351,10 +351,10 @@ def get_squashed_tag(namespace, repository, tag):
|
|||
@process_auth
|
||||
@parse_repository_name()
|
||||
def get_tag_torrent(namespace_name, repo_name, digest):
|
||||
permission = ReadRepositoryPermission(namespace_name, repo_name)
|
||||
repo = model.get_repository(namespace_name, repo_name)
|
||||
repo_is_public = repo is not None and repo.is_public
|
||||
|
||||
permission = ReadRepositoryPermission(namespace_name, repo_name)
|
||||
if not permission.can() and not repo_is_public:
|
||||
abort(403)
|
||||
|
||||
|
|
@ -363,7 +363,7 @@ def get_tag_torrent(namespace_name, repo_name, digest):
|
|||
# We can not generate a private torrent cluster without a user uuid (e.g. token auth)
|
||||
abort(403)
|
||||
|
||||
if repo.kind != 'image':
|
||||
if repo is not None and repo.kind != 'image':
|
||||
abort(405)
|
||||
|
||||
blob = model.get_repo_blob_by_digest(namespace_name, repo_name, digest)
|
||||
|
|
|
|||
Reference in a new issue