mirror of
https://github.com/quay/quay.git
synced 2026-01-26 06:21:37 +03:00
ed78a8beeb
* v2: Disallow push of manifests with negative layer size (PROJQUAY-8560)
Under certain conditions, clients may create a manifest (OCI or Docker v2) that contains negative layer sizes. Our current validation schema does not take that corner case into account, it only checks if the manifest is properly formatted or not. With this change, Quay will reject manifests that have negative layer sizes and raise a `400` with a proper exception. An example can be seen here:
~~~
gunicorn-registry stdout | 2025-02-10 22:34:54,930 [377] [ERROR] [endpoints.v2.manifest] failed to parse manifest when writing by tagname
gunicorn-registry stdout | Traceback (most recent call last):
gunicorn-registry stdout | File "/quay-registry/endpoints/v2/manifest.py", line 362, in _parse_manifest
gunicorn-registry stdout | return parse_manifest_from_bytes(
gunicorn-registry stdout | File "/quay-registry/image/shared/schemas.py", line 40, in parse_manifest_from_bytes
gunicorn-registry stdout | return DockerSchema2Manifest(manifest_bytes)
gunicorn-registry stdout | File "/quay-registry/image/docker/schema2/manifest.py", line 172, in __init__
gunicorn-registry stdout | raise MalformedSchema2Manifest("layer size is negative")
gunicorn-registry stdout | image.docker.schema2.manifest.MalformedSchema2Manifest: layer size is negative
gunicorn-registry stdout | 2025-02-10 22:34:54,931 [377] [DEBUG] [endpoints.v2] sending response: b'{"errors":[{"code":"MANIFEST_INVALID","detail":{"message":"failed to parse manifest: layer size is negative"},"message":"manifest invalid"}]}\n
~~~
* Add tests, changed error message on malformed manifest exception
* Fix v2 API test
* Add match expression to pytest to make sure a proper exception is raised
* Add exception for layers with size 0 bytes, fix tests
* Fix indentation on previous changes
* Fix indetation
Project Quay
⚠️ The master branch may be in an unstable or even broken state during development.
Please use releases instead of the master branch in order to get stable software.
Project Quay builds, stores, and distributes your container images.
High-level features include:
- Docker Registry Protocol v2
- Docker Manifest Schema v2.1, v2.2
- OCI spec v1.1 support oci
- Authentication provided by LDAP, Keystone, OIDC, Google, and GitHub
- ACLs, team management, and auditability logs
- Geo-replicated storage provided by local filesystems, S3, GCS, Swift, Ceph and ODF
- Continuous Integration integrated with GitHub, Bitbucket, GitLab, and git
- Security Vulnerability Analysis via Clair
- Swagger-compliant HTTP API
Getting Started
- Explore a live instance of Project Quay hosted at Quay.io
- Watch talks given about Project Quay
- Review the documentation for Red Hat Quay
- Get up and running with our getting started guide for developing or deploying Quay
- Deploy on Kubernetes using the Quay Operator
Community
- Mailing List: quay-sig@googlegroups.com
- IRC: #quay on libera.chat
- Bug tracking: Red Hat JIRA
- Security Issues: security@redhat.com
- Community meetings held the first Wednesday of every month 11:00 AM EST: meeting link
License
Project Quay is under the Apache 2.0 license. See the LICENSE file for details.