From 4962fae5dcb8e27fbcdd82486fc4ef4c1123775e Mon Sep 17 00:00:00 2001
From: Nghia Tran <nghia@chainguard.dev>
Date: Thu, 23 Jan 2025 16:47:07 -0800
Subject: [PATCH] Disallow '/' in key name

Signed-off-by: Nghia Tran <nghia@chainguard.dev>
---
 pkg/apk/apk/index.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/apk/apk/index.go b/pkg/apk/apk/index.go
index 505dddd1..d7f06e5b 100644
--- a/pkg/apk/apk/index.go
+++ b/pkg/apk/apk/index.go
@@ -343,6 +343,12 @@ func parseRepositoryIndex(ctx context.Context, u string, keys map[string][]byte,
 		if len(keys) == 0 {
 			return nil, fmt.Errorf("no keys provided to verify signature")
 		}
+		// check that they key name aren't paths or URLs
+		for keyName := range keys {
+			if strings.Contains(keyName, "/") {
+				return nil, fmt.Errorf("invalid keyname %q", keyName)
+			}
+		}
 		buf := bytes.NewReader(b)
 		gzipReader, err := gzip.NewReader(buf)
 		if err != nil {
@@ -373,6 +379,7 @@ func parseRepositoryIndex(ctx context.Context, u string, keys map[string][]byte,
 				return nil, fmt.Errorf("failed to find key name in signature file name: %s", signatureFile.Name)
 			}
 			keyfile := matches[2]
+			fmt.Println("signature file: ", signatureFile.Name, " keyfile: ", keyfile, " matches: ", matches)
 			if _, ok := keys[keyfile]; !ok {
 				// Ignore this signature if we don't have the key
 				continue