Add repo name check to V2

Fixes #592
This commit is contained in:
Joseph Schorr 2015-10-05 14:19:52 -04:00
parent 16c0d19934
commit f393236c9f
3 changed files with 17 additions and 4 deletions

View file

@ -17,10 +17,9 @@ from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermissi
CreateRepositoryPermission) CreateRepositoryPermission)
from endpoints.v2 import v2_bp from endpoints.v2 import v2_bp
from util.cache import no_cache from util.cache import no_cache
from util.names import parse_namespace_repository from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
from endpoints.decorators import anon_protect from endpoints.decorators import anon_protect
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -73,6 +72,11 @@ def generate_registry_jwt():
actions = match.group(2).split(',') actions = match.group(2).split(',')
namespace, reponame = parse_namespace_repository(namespace_and_repo) namespace, reponame = parse_namespace_repository(namespace_and_repo)
# Ensure that we are never creating an invalid repository.
if not REPOSITORY_NAME_REGEX.match(reponame):
abort(400)
if 'pull' in actions and 'push' in actions: if 'pull' in actions and 'push' in actions:
if user is None: if user is None:
abort(401) abort(401)

View file

@ -377,14 +377,18 @@ class V2RegistryMixin(BaseRegistryMixin):
class V2RegistryPushMixin(V2RegistryMixin): class V2RegistryPushMixin(V2RegistryMixin):
def do_push(self, namespace, repository, username, password, images=None, tag_name=None, def do_push(self, namespace, repository, username, password, images=None, tag_name=None,
cancel=False, invalid=False, expected_manifest_code=202): cancel=False, invalid=False, expected_manifest_code=202, expected_auth_code=200):
images = images or self._get_default_images() images = images or self._get_default_images()
# Ping! # Ping!
self.v2_ping() self.v2_ping()
# Auth. # Auth.
self.do_auth(username, password, namespace, repository, scopes=['push', 'pull']) self.do_auth(username, password, namespace, repository, scopes=['push', 'pull'],
expected_code=expected_auth_code)
if expected_auth_code != 200:
return
# Build a fake manifest. # Build a fake manifest.
tag_name = tag_name or 'latest' tag_name = tag_name or 'latest'
@ -816,6 +820,9 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images) self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
def test_invalid_regname(self):
self.do_push('devtable', 'this/is/a/repo', 'devtable', 'password', expected_auth_code=400)
def test_multiple_tags(self): def test_multiple_tags(self):
latest_images = [ latest_images = [
{ {

View file

@ -1,8 +1,10 @@
import urllib import urllib
import re
from functools import wraps from functools import wraps
from uuid import uuid4 from uuid import uuid4
REPOSITORY_NAME_REGEX = re.compile(r'^[\.a-zA-Z0-9_-]+$')
def parse_namespace_repository(repository, include_tag=False): def parse_namespace_repository(repository, include_tag=False):
parts = repository.rstrip('/').split('/', 1) parts = repository.rstrip('/').split('/', 1)