Disallow '/' in key name

Signed-off-by: Nghia Tran <[email protected]>
chainguard-dev · Jan 24, 2025 · 4962fae · 4962fae
1 parent 784a235
commit 4962fae
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/apk/apk/index.go b/pkg/apk/apk/index.go
@@ -343,6 +343,12 @@ func parseRepositoryIndex(ctx context.Context, u string, keys map[string][]byte,
 		if len(keys) == 0 {
 			return nil, fmt.Errorf("no keys provided to verify signature")
 		}
+		// check that they key name aren't paths or URLs
+		for keyName := range keys {
+			if strings.Contains(keyName, "/") {
+				return nil, fmt.Errorf("invalid keyname %q", keyName)
+			}
+		}
 		buf := bytes.NewReader(b)
 		gzipReader, err := gzip.NewReader(buf)
 		if err != nil {
@@ -373,6 +379,7 @@ func parseRepositoryIndex(ctx context.Context, u string, keys map[string][]byte,
 				return nil, fmt.Errorf("failed to find key name in signature file name: %s", signatureFile.Name)
 			}
 			keyfile := matches[2]
+			fmt.Println("signature file: ", signatureFile.Name, " keyfile: ", keyfile, " matches: ", matches)
 			if _, ok := keys[keyfile]; !ok {
 				// Ignore this signature if we don't have the key
 				continue