taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 15:00:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9a8728454bcd11c911e82ae88d3a3eb9df958b02
nora/nora-registry/src/validation.rs
DevITWay a220567270 feat: add input validation with path traversal protection 
- validate_storage_key: reject ../, null bytes, absolute paths
- validate_docker_name: OCI distribution spec compliance
- validate_digest: sha256/sha512 format validation
- validate_docker_reference: tag and digest reference validation
- Integrate validation in storage wrapper and Docker handlers
2026-01-26 00:02:15 +00:00

553 lines
16 KiB
Rust
Raw Blame History

//! Input validation for artifact registry paths and identifiers
//!
//! Provides security validation to prevent path traversal attacks and
//! ensure inputs conform to protocol specifications.
use std::fmt;
/// Validation errors
#[derive(Debug, Clone, PartialEq)]
pub enum ValidationError {
/// Path contains traversal sequences (../, etc.)
PathTraversal,
/// Docker image name is invalid
InvalidDockerName(String),
/// Content digest is invalid
InvalidDigest(String),
/// Tag/reference is invalid
InvalidReference(String),
/// Input is empty
EmptyInput,
/// Input exceeds maximum length
TooLong { max: usize, actual: usize },
/// Contains forbidden characters
ForbiddenCharacter(char),
}
impl fmt::Display for ValidationError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::PathTraversal => write!(f, "Path traversal detected"),
Self::InvalidDockerName(reason) => write!(f, "Invalid Docker name: {}", reason),
Self::InvalidDigest(reason) => write!(f, "Invalid digest: {}", reason),
Self::InvalidReference(reason) => write!(f, "Invalid reference: {}", reason),
Self::EmptyInput => write!(f, "Input cannot be empty"),
Self::TooLong { max, actual } => {
write!(f, "Input exceeds maximum length ({} > {})", actual, max)
}
Self::ForbiddenCharacter(c) => write!(f, "Forbidden character: {:?}", c),
}
}
}
impl std::error::Error for ValidationError {}
/// Maximum allowed storage key length
const MAX_KEY_LENGTH: usize = 1024;
/// Maximum Docker name length
const MAX_DOCKER_NAME_LENGTH: usize = 256;
/// Maximum tag/reference length
const MAX_REFERENCE_LENGTH: usize = 128;
/// Validate and sanitize a storage key to prevent path traversal attacks.
///
/// Rejects keys containing:
/// - `..` path traversal sequences
/// - Leading `/` or `\` (absolute paths)
/// - Null bytes
/// - Empty segments
pub fn validate_storage_key(key: &str) -> Result<(), ValidationError> {
if key.is_empty() {
return Err(ValidationError::EmptyInput);
}
if key.len() > MAX_KEY_LENGTH {
return Err(ValidationError::TooLong {
max: MAX_KEY_LENGTH,
actual: key.len(),
});
}
// Check for null bytes
if key.contains('\0') {
return Err(ValidationError::ForbiddenCharacter('\0'));
}
// Check for absolute paths
if key.starts_with('/') || key.starts_with('\\') {
return Err(ValidationError::PathTraversal);
}
// Check for path traversal patterns
if key.contains("..") {
return Err(ValidationError::PathTraversal);
}
// Check for backslash (Windows path separator)
if key.contains('\\') {
return Err(ValidationError::PathTraversal);
}
// Check each segment
for segment in key.split('/') {
if segment.is_empty() && key != "" {
// Allow trailing slash but not double slashes
continue;
}
if segment == "." || segment == ".." {
return Err(ValidationError::PathTraversal);
}
}
Ok(())
}
/// Validate Docker image name per OCI distribution spec.
///
/// Valid names:
/// - Lowercase letters, digits, underscores, dots, hyphens
/// - May contain path separators (/)
/// - Each component must start with alphanumeric
/// - Max 256 characters
///
/// Examples:
/// - `nginx` ✓
/// - `library/nginx` ✓
/// - `my-org/my-image` ✓
/// - `NGINX` ✗ (uppercase)
/// - `../escape` ✗ (path traversal)
pub fn validate_docker_name(name: &str) -> Result<(), ValidationError> {
if name.is_empty() {
return Err(ValidationError::EmptyInput);
}
if name.len() > MAX_DOCKER_NAME_LENGTH {
return Err(ValidationError::TooLong {
max: MAX_DOCKER_NAME_LENGTH,
actual: name.len(),
});
}
// Check for path traversal
if name.contains("..") {
return Err(ValidationError::PathTraversal);
}
// Must contain only valid characters
for c in name.chars() {
if !matches!(c, 'a'..='z' | '0'..='9' | '_' | '.' | '-' | '/') {
if c.is_ascii_uppercase() {
return Err(ValidationError::InvalidDockerName(
"must be lowercase".to_string(),
));
}
return Err(ValidationError::ForbiddenCharacter(c));
}
}
// Cannot start with separator
if name.starts_with('/') || name.starts_with('.') || name.starts_with('-') {
return Err(ValidationError::InvalidDockerName(
"cannot start with separator or special character".to_string(),
));
}
// Cannot end with separator
if name.ends_with('/') {
return Err(ValidationError::InvalidDockerName(
"cannot end with /".to_string(),
));
}
// No consecutive separators (except ..)
if name.contains("//") || name.contains("--") || name.contains("__") {
return Err(ValidationError::InvalidDockerName(
"consecutive separators not allowed".to_string(),
));
}
// Each path segment must start with alphanumeric
for segment in name.split('/') {
if segment.is_empty() {
return Err(ValidationError::InvalidDockerName(
"empty path segment".to_string(),
));
}
let first = segment.chars().next().unwrap();
if !first.is_ascii_alphanumeric() {
return Err(ValidationError::InvalidDockerName(
"segment must start with alphanumeric".to_string(),
));
}
}
Ok(())
}
/// Validate content digest format.
///
/// Supported formats:
/// - `sha256:<64 hex chars>`
/// - `sha512:<128 hex chars>`
///
/// Examples:
/// - `sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4` ✓
/// - `sha256:ABC` ✗ (uppercase)
/// - `md5:abc` ✗ (unsupported algorithm)
pub fn validate_digest(digest: &str) -> Result<(), ValidationError> {
if digest.is_empty() {
return Err(ValidationError::EmptyInput);
}
// Check for path traversal (shouldn't be in digest but defensive check)
if digest.contains("..") || digest.contains('/') {
return Err(ValidationError::PathTraversal);
}
let parts: Vec<&str> = digest.splitn(2, ':').collect();
if parts.len() != 2 {
return Err(ValidationError::InvalidDigest(
"missing algorithm prefix (expected algo:hash)".to_string(),
));
}
let (algo, hash) = (parts[0], parts[1]);
match algo {
"sha256" => {
if hash.len() != 64 {
return Err(ValidationError::InvalidDigest(format!(
"sha256 hash must be 64 characters, got {}",
hash.len()
)));
}
}
"sha512" => {
if hash.len() != 128 {
return Err(ValidationError::InvalidDigest(format!(
"sha512 hash must be 128 characters, got {}",
hash.len()
)));
}
}
_ => {
return Err(ValidationError::InvalidDigest(format!(
"unsupported algorithm: {} (use sha256 or sha512)",
algo
)));
}
}
// Hash must be lowercase hex
for c in hash.chars() {
if !matches!(c, '0'..='9' | 'a'..='f') {
if c.is_ascii_uppercase() {
return Err(ValidationError::InvalidDigest(
"hash must be lowercase hex".to_string(),
));
}
return Err(ValidationError::InvalidDigest(format!(
"invalid character in hash: {:?}",
c
)));
}
}
Ok(())
}
/// Validate Docker tag or reference (tag or digest).
///
/// Tags:
/// - Alphanumeric, dots, underscores, hyphens
/// - Max 128 characters
/// - Must start with alphanumeric
///
/// References may also be digests (sha256:...).
pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError> {
if reference.is_empty() {
return Err(ValidationError::EmptyInput);
}
if reference.len() > MAX_REFERENCE_LENGTH {
return Err(ValidationError::TooLong {
max: MAX_REFERENCE_LENGTH,
actual: reference.len(),
});
}
// Check for path traversal
if reference.contains("..") || reference.contains('/') {
return Err(ValidationError::PathTraversal);
}
// If it looks like a digest, validate as digest
if reference.starts_with("sha256:") || reference.starts_with("sha512:") {
return validate_digest(reference);
}
// Validate as tag
let first = reference.chars().next().unwrap();
if !first.is_ascii_alphanumeric() {
return Err(ValidationError::InvalidReference(
"tag must start with alphanumeric".to_string(),
));
}
for c in reference.chars() {
if !matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '.' | '_' | '-') {
return Err(ValidationError::ForbiddenCharacter(c));
}
}
Ok(())
}
/// Validate Maven artifact path.
///
/// Maven paths follow the pattern: groupId/artifactId/version/filename
/// Example: `org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar`
pub fn validate_maven_path(path: &str) -> Result<(), ValidationError> {
validate_storage_key(path)
}
/// Validate npm package name.
pub fn validate_npm_name(name: &str) -> Result<(), ValidationError> {
if name.is_empty() {
return Err(ValidationError::EmptyInput);
}
if name.len() > 214 {
return Err(ValidationError::TooLong {
max: 214,
actual: name.len(),
});
}
// Check for path traversal
if name.contains("..") {
return Err(ValidationError::PathTraversal);
}
Ok(())
}
/// Validate Cargo crate name.
pub fn validate_crate_name(name: &str) -> Result<(), ValidationError> {
if name.is_empty() {
return Err(ValidationError::EmptyInput);
}
if name.len() > 64 {
return Err(ValidationError::TooLong {
max: 64,
actual: name.len(),
});
}
// Check for path traversal
if name.contains("..") || name.contains('/') {
return Err(ValidationError::PathTraversal);
}
// Crate names: alphanumeric, underscores, hyphens
for c in name.chars() {
if !matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-') {
return Err(ValidationError::ForbiddenCharacter(c));
}
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
// Storage key tests
#[test]
fn test_storage_key_valid() {
assert!(validate_storage_key("docker/nginx/blobs/sha256:abc").is_ok());
assert!(validate_storage_key("maven/org/apache/commons").is_ok());
assert!(validate_storage_key("simple").is_ok());
}
#[test]
fn test_storage_key_path_traversal() {
assert!(matches!(
validate_storage_key("../etc/passwd"),
Err(ValidationError::PathTraversal)
));
assert!(matches!(
validate_storage_key("foo/../bar"),
Err(ValidationError::PathTraversal)
));
assert!(matches!(
validate_storage_key("foo/.."),
Err(ValidationError::PathTraversal)
));
}
#[test]
fn test_storage_key_absolute_path() {
assert!(matches!(
validate_storage_key("/etc/passwd"),
Err(ValidationError::PathTraversal)
));
assert!(matches!(
validate_storage_key("\\windows\\system32"),
Err(ValidationError::PathTraversal)
));
}
#[test]
fn test_storage_key_null_byte() {
assert!(matches!(
validate_storage_key("foo\0bar"),
Err(ValidationError::ForbiddenCharacter('\0'))
));
}
#[test]
fn test_storage_key_empty() {
assert!(matches!(
validate_storage_key(""),
Err(ValidationError::EmptyInput)
));
}
#[test]
fn test_storage_key_too_long() {
let long_key = "a".repeat(1025);
assert!(matches!(
validate_storage_key(&long_key),
Err(ValidationError::TooLong { .. })
));
}
// Docker name tests
#[test]
fn test_docker_name_valid() {
assert!(validate_docker_name("nginx").is_ok());
assert!(validate_docker_name("library/nginx").is_ok());
assert!(validate_docker_name("my-org/my-image").is_ok());
assert!(validate_docker_name("my_image").is_ok());
assert!(validate_docker_name("image.name").is_ok());
assert!(validate_docker_name("a/b/c/d").is_ok());
}
#[test]
fn test_docker_name_uppercase() {
assert!(matches!(
validate_docker_name("NGINX"),
Err(ValidationError::InvalidDockerName(_))
));
assert!(matches!(
validate_docker_name("MyImage"),
Err(ValidationError::InvalidDockerName(_))
));
}
#[test]
fn test_docker_name_path_traversal() {
assert!(matches!(
validate_docker_name("../escape"),
Err(ValidationError::PathTraversal)
));
assert!(matches!(
validate_docker_name("foo/../bar"),
Err(ValidationError::PathTraversal)
));
}
#[test]
fn test_docker_name_invalid_start() {
assert!(validate_docker_name("/nginx").is_err());
assert!(validate_docker_name(".nginx").is_err());
assert!(validate_docker_name("-nginx").is_err());
}
#[test]
fn test_docker_name_consecutive_separators() {
assert!(validate_docker_name("foo//bar").is_err());
assert!(validate_docker_name("foo--bar").is_err());
assert!(validate_docker_name("foo__bar").is_err());
}
// Digest tests
#[test]
fn test_digest_valid_sha256() {
let valid = format!("sha256:{}", "a".repeat(64));
assert!(validate_digest(&valid).is_ok());
}
#[test]
fn test_digest_valid_sha512() {
let valid = format!("sha512:{}", "a".repeat(128));
assert!(validate_digest(&valid).is_ok());
}
#[test]
fn test_digest_wrong_length() {
assert!(validate_digest("sha256:abc").is_err());
assert!(validate_digest(&format!("sha256:{}", "a".repeat(63))).is_err());
assert!(validate_digest(&format!("sha256:{}", "a".repeat(65))).is_err());
}
#[test]
fn test_digest_uppercase() {
let upper = format!("sha256:{}", "A".repeat(64));
assert!(matches!(
validate_digest(&upper),
Err(ValidationError::InvalidDigest(_))
));
}
#[test]
fn test_digest_unsupported_algorithm() {
assert!(matches!(
validate_digest("md5:abc"),
Err(ValidationError::InvalidDigest(_))
));
}
#[test]
fn test_digest_missing_prefix() {
assert!(matches!(
validate_digest("abcdef123456"),
Err(ValidationError::InvalidDigest(_))
));
}
// Reference tests
#[test]
fn test_reference_valid_tag() {
assert!(validate_docker_reference("latest").is_ok());
assert!(validate_docker_reference("v1.0.0").is_ok());
assert!(validate_docker_reference("1.0").is_ok());
assert!(validate_docker_reference("my-tag_v2").is_ok());
}
#[test]
fn test_reference_valid_digest() {
let digest = format!("sha256:{}", "a".repeat(64));
assert!(validate_docker_reference(&digest).is_ok());
}
#[test]
fn test_reference_path_traversal() {
assert!(matches!(
validate_docker_reference("../escape"),
Err(ValidationError::PathTraversal)
));
}
#[test]
fn test_reference_invalid_start() {
assert!(validate_docker_reference(".hidden").is_err());
assert!(validate_docker_reference("-dash").is_err());
}
}
Reference in New Issue View Git Blame Copy Permalink