UNPKG

snyk-docker-plugin

Version:

Snyk CLI docker plugin

github.com/snyk/snyk-docker-plugin

snyk/snyk-docker-plugin

105 lines (89 loc) 3.31 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
import { parseAll } from "@swimlane/docker-reference"; export interface OCIDistributionMetadata { // Must be a valid host, including port if one was used to pull the image. // Max size: 255 bytes. registryHost: string; // Must be a valid OCI repository namespace. // Max size: 2048 bytes. repository: string; // Must match sha256:[a-f0-9]{64} (https://github.com/opencontainers/image-spec/blob/d60099175f88c47cd379c4738d158884749ed235/descriptor.md?plain=1#L143). // Max size: 64 bytes. manifestDigest: string; // (Optional) Must match sha256:[a-f0-9]{64} (https://github.com/opencontainers/image-spec/blob/d60099175f88c47cd379c4738d158884749ed235/descriptor.md?plain=1#L143). // Max size: 64 bytes. indexDigest?: string; // (Optional) Must match [a-zA-Z0-9_][a-zA-Z0-9._-]{0,127} (https://github.com/opencontainers/distribution-spec/blob/3940529fe6c0a068290b27fb3cd797cf0528bed6/spec.md?plain=1#L160). // Max size: 127 bytes. imageTag?: string; } interface OCIDistributionMetadataConstructorInput { imageName: string; manifestDigest: string; indexDigest?: string; } export function constructOCIDisributionMetadata({ imageName, manifestDigest, indexDigest, }: OCIDistributionMetadataConstructorInput): | OCIDistributionMetadata | undefined { try { const ref = parseAll(imageName); if (!ref.domain || !ref.repository) { return; } const metadata: OCIDistributionMetadata = { registryHost: ref.domain, repository: ref.repository, manifestDigest, indexDigest, imageTag: ref.tag, }; if (!ociDistributionMetadataIsValid(metadata)) { return; } return metadata; } catch { return; } } function ociDistributionMetadataIsValid( data: OCIDistributionMetadata, ): boolean { // 255 byte limit is enforced by RFC 1035. if (Buffer.byteLength(data.registryHost) > 255) { return false; } // 2048 byte limit is enforced by Snyk for platform stability. // Longer strings may be valid, but nothing close to this limit has been observed by Snyk at time of writing. if ( Buffer.byteLength(data.repository) > 2048 || !repositoryNameIsValid(data.repository) ) { return false; } if (!digestIsValid(data.manifestDigest)) { return false; } if (data.indexDigest && !digestIsValid(data.indexDigest)) { return false; } if (data.imageTag && !tagIsValid(data.imageTag)) { return false; } return true; } // Regular Expression Source: OCI Distribution Spec V1 // https://github.com/opencontainers/distribution-spec/blob/570d0262abe8ec5e59d8e3fbbd7be4bd784b200e/spec.md?plain=1#L141 const repositoryNameIsValid = (name: string) => /^[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*$/.test( name, ); // Regular Expression Source: OCI Image Spec V1 // https://github.com/opencontainers/image-spec/blob/d60099175f88c47cd379c4738d158884749ed235/descriptor.md?plain=1#L143 const digestIsValid = (digest: string) => /^sha256:[a-f0-9]{64}$/.test(digest); // Regular Expression Source: OCI Image Spec V1 // https://github.com/opencontainers/distribution-spec/blob/3940529fe6c0a068290b27fb3cd797cf0528bed6/spec.md?plain=1#L160 const tagIsValid = (tag: string) => /^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$/.test(tag);