Validates tag names and tags#bulk_destroy

c2d1fbe5 · Giorgenes Gelatti · Nathan Friend · 786133d3 · c2d1fbe5 · c2d1fbe5
Commit c2d1fbe5 authored Jul 23, 2019 by Giorgenes Gelatti Committed by Nathan Friend Jul 30, 2019
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

app/controllers/projects/registry/tags_controller.rb app/controllers/projects/registry/tags_controller.rb +9 -0

lib/container_registry/tag.rb lib/container_registry/tag.rb +7 -0

No files found.
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -29,7 +29,16 @@ module Projects
      end

      def bulk_destroy
+        unless params[:ids].present?
+          head :bad_request
+          return
+        end
+
        @tags = (params[:ids] || []).map { |tag_name| image.tag(tag_name) }
+        unless @tags.all? { |tag| tag.valid_name? }
+          head :bad_request
+          return
+        end

        success_count = 0
        @tags.each do |tag|

--- a/lib/container_registry/tag.rb
+++ b/lib/container_registry/tag.rb
@@ -6,6 +6,9 @@ module ContainerRegistry

    attr_reader :repository, :name

+    # https://github.com/docker/distribution/commit/3150937b9f2b1b5b096b2634d0e7c44d4a0f89fb
+    TAG_NAME_REGEX = /^[\w][\w.-]{0,127}$/.freeze
+
    delegate :registry, :client, to: :repository
    delegate :revision, :short_revision, to: :config_blob, allow_nil: true

@@ -13,6 +16,10 @@ module ContainerRegistry
      @repository, @name = repository, name
    end

+    def valid_name?
+      !name.match(TAG_NAME_REGEX).nil?
+    end
+
    def valid?
      manifest.present?
    end