Skip to content

compose: guard x-nerdctl-* extension type assertions#5073

Open
arpitjain099 wants to merge 1 commit into
containerd:mainfrom
arpitjain099:fix/compose-extension-type-assert-panic
Open

compose: guard x-nerdctl-* extension type assertions#5073
arpitjain099 wants to merge 1 commit into
containerd:mainfrom
arpitjain099:fix/compose-extension-type-assert-panic

Conversation

@arpitjain099

Copy link
Copy Markdown

The compose image verify, pull, and push paths pull x-nerdctl-* extension values out of the parsed compose file and assert them to string without checking the type first. The ok on those lookups only tells you the key is present, not that the value is a string.

compose-go accepts any value under an x-* key, so a malformed entry like this loads without error:

services:
  app:
    image: alpine:latest
    x-nerdctl-verify: 123

and then nerdctl compose up panics on it:

panic: interface conversion: interface {} is int, not string
  .../pkg/cmd/compose/compose.go:166 imageVerifyOptionsFromCompose

So a typo in a compose file crashes the CLI with a stack trace instead of the value being ignored or reported. This is a robustness fix, not a security issue: it's the user crashing their own CLI on their own malformed file.

The change switches every extension read to the comma-ok form so a non-string value falls back to the default (provider=none for verify, skip the flag for the cosign fields) rather than panicking. Same treatment across all three sites:

  • pkg/cmd/compose/compose.go (imageVerifyOptionsFromCompose, compose up), 6 fields
  • pkg/composer/pull.go (compose pull), 6 fields
  • pkg/composer/push.go (compose push), 2 fields

Added a regression test in pkg/cmd/compose that writes a compose file with an int-valued x-nerdctl-verify, loads it through the real compose-go loader (testutil.LoadProject -> serviceparser.Parse, the same path production uses), calls imageVerifyOptionsFromCompose, and asserts no panic with the provider defaulting to none. It panics at compose.go:166 before the fix and passes after.

go test ./pkg/cmd/compose/...

The compose image verify/pull/push paths read x-nerdctl-* extension
values out of the parsed compose file and assert them to string without
checking the type. compose-go accepts any value under an x-* key, so a
malformed entry like `x-nerdctl-verify: 123` loads fine and then
panics the CLI with "interface conversion: interface {} is int, not
string" instead of being ignored or reported.

Use the comma-ok form at every extension site (compose up in
pkg/cmd/compose, compose pull and push in pkg/composer) so a non-string
value falls back to the default rather than crashing. Adds a regression
test that drives the real compose-go loader with an int-valued
x-nerdctl-verify and checks the provider defaults to none.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants