hotfix: fixed image format validation

The image validation assumed that the registry/domain name of an image contains a dot (.) as domain usually do. However this doesn't work for images coming from private registries like 'private-registry:3000'. Making the dot optional also doesn't fix the problem since for image like 'path/to/image:tag', 'path' would be recognized as a domain name. Thus the validation has been change so that domains that do not contain a dot, necessarily need to specify a port in order for them to be recognized as domains. fix #114
sse-secure-systems · Apr 8, 2021 · aee751b · aee751b
1 parent 47b60ab
commit aee751b
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/connaisseur/image.py b/connaisseur/image.py
@@ -27,7 +27,11 @@ class Image:
 
     def __init__(self, image: str):
         # e.g. example.com, super.example.com:3498
-        domain_re = r"(?:[a-z0-9-]{1,63}\.){1,62}[a-z0-9-]{1,63}(?::[0-9]{1,5})?"
+        domain_with_dot_re = (
+            r"(?:[a-z0-9-]{1,63}\.){1,62}[a-z0-9-]{1,63}(?::[0-9]{1,5})?"
+        )
+        # e.g. private-registry:30000, localhost:5000
+        domain_without_dot_re = r"[a-z0-9-]{1,64}(?::[0-9]{1,5})"
         # e.g. library/, library/alpine/,
         repo_re = r"(?:[\w-]+\/)+"
         # e.g. alpine, nginx, hello-world
@@ -36,7 +40,10 @@ def __init__(self, image: str):
         tag_re = r"(?:(?:@sha256:([a-f0-9]{64}))|(?:\:([\w.-]+)))"
 
         # e.g. docker.io/library/python:3.7-alpine
-        regex = f"^({domain_re}/)?({repo_re})?({image_re})({tag_re})?$"
+        regex = (
+            f"^((?:{domain_with_dot_re}|{domain_without_dot_re})/)?"
+            f"({repo_re})?({image_re})({tag_re})?$"
+        )
 
         match = re.search(regex, image)
         if not match:

diff --git a/connaisseur/tests/test_image.py b/connaisseur/tests/test_image.py
@@ -57,6 +57,7 @@ def im():
             "path",
             "sub.registry.io",
         ),
+        ("registry:3000/image:tag", "image", "tag", None, "", "registry:3000"),
     ],
 )
 def test_image(

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -1,7 +1,7 @@
 # configure connaisseur deployment
 deployment:
   replicasCount: 3
-  image: securesystemsengineering/connaisseur:v1.4.6
+  image: securesystemsengineering/connaisseur:v1.4.7
   helmHookImage: securesystemsengineering/connaisseur:helm-hook-v1.0
   imagePullPolicy: Always
   resources: {}
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,7 @@ def im(): @@
                 "path",
                 "sub.registry.io",
             ),
+            ("registry:3000/image:tag", "image", "tag", None, "", "registry:3000"),
         ],
     )
     def test_image(
@@ Expand Down @@