From 5f2713298133048333ea050bfa854c12b1ffb5a8 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 13 Aug 2024 11:27:28 -0700 Subject: [PATCH] Enforce that `GitCommit` must be a *full* commit hash I thought this was already the behavior, but I guess it was relaxed because previous iterations of this validation had to apply to the older format where we'd been less meticulous about enforcing this. Since those are all gone now, we can safely update the validation to enforce that commit hashes *must* be fully qualified. --- manifest/rfc2822.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest/rfc2822.go b/manifest/rfc2822.go index c94cb992..e415f83d 100644 --- a/manifest/rfc2822.go +++ b/manifest/rfc2822.go @@ -16,7 +16,7 @@ import ( ) var ( - GitCommitRegex = regexp.MustCompile(`^[0-9a-f]{1,64}$`) + GitCommitRegex = regexp.MustCompile(`^([0-9a-f]{40}|[0-9a-f]{64})$`) GitFetchRegex = regexp.MustCompile(`^refs/(heads|tags)/[^*?:]+$`) // https://github.com/docker/distribution/blob/v2.7.1/reference/regexp.go#L37