compose: guard x-nerdctl-* extension type assertions#5073
Open
arpitjain099 wants to merge 1 commit into
Open
Conversation
The compose image verify/pull/push paths read x-nerdctl-* extension
values out of the parsed compose file and assert them to string without
checking the type. compose-go accepts any value under an x-* key, so a
malformed entry like `x-nerdctl-verify: 123` loads fine and then
panics the CLI with "interface conversion: interface {} is int, not
string" instead of being ignored or reported.
Use the comma-ok form at every extension site (compose up in
pkg/cmd/compose, compose pull and push in pkg/composer) so a non-string
value falls back to the default rather than crashing. Adds a regression
test that drives the real compose-go loader with an int-valued
x-nerdctl-verify and checks the provider defaults to none.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The compose image verify, pull, and push paths pull
x-nerdctl-*extension values out of the parsed compose file and assert them tostringwithout checking the type first. Theokon those lookups only tells you the key is present, not that the value is a string.compose-go accepts any value under an
x-*key, so a malformed entry like this loads without error:and then
nerdctl compose uppanics on it:So a typo in a compose file crashes the CLI with a stack trace instead of the value being ignored or reported. This is a robustness fix, not a security issue: it's the user crashing their own CLI on their own malformed file.
The change switches every extension read to the comma-ok form so a non-string value falls back to the default (
provider=nonefor verify, skip the flag for the cosign fields) rather than panicking. Same treatment across all three sites:pkg/cmd/compose/compose.go(imageVerifyOptionsFromCompose, compose up), 6 fieldspkg/composer/pull.go(compose pull), 6 fieldspkg/composer/push.go(compose push), 2 fieldsAdded a regression test in
pkg/cmd/composethat writes a compose file with an int-valuedx-nerdctl-verify, loads it through the real compose-go loader (testutil.LoadProject->serviceparser.Parse, the same path production uses), callsimageVerifyOptionsFromCompose, and asserts no panic with the provider defaulting tonone. It panics at compose.go:166 before the fix and passes after.