From 8e36bfd4d1a60efb1947f263641c1ec4258d9fa5 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com>
Date: Sat, 2 Sep 2023 01:28:31 -0700
Subject: [PATCH] fix: add manifest validation checks (#1747)

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 pkg/storage/common/common.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/storage/common/common.go b/pkg/storage/common/common.go
index af1e9975..48941b8c 100644
--- a/pkg/storage/common/common.go
+++ b/pkg/storage/common/common.go
@@ -95,7 +95,17 @@ func ValidateManifest(imgStore storageTypes.ImageStore, repo, reference, mediaTy
 			return "", zerr.ErrBadManifest
 		}
 
-		if manifest.Config.MediaType == ispec.MediaTypeImageConfig {
+		// validate blobs only for known media types
+		if manifest.Config.MediaType == ispec.MediaTypeImageConfig ||
+			manifest.Config.MediaType == ispec.MediaTypeEmptyJSON {
+			// validate config blob - a lightweight check if the blob is present
+			ok, _, _, err := imgStore.StatBlob(repo, manifest.Config.Digest)
+			if !ok || err != nil {
+				log.Error().Err(err).Str("digest", manifest.Config.Digest.String()).Msg("missing config blob")
+
+				return "", zerr.ErrBadManifest
+			}
+
 			// validate layers - a lightweight check if the blob is present
 			for _, layer := range manifest.Layers {
 				if IsNonDistributable(layer.MediaType) {