oci: do not require top-level mediaType

cyphar · cyphar · commit 4d7e69c248fb · 2025-08-19T04:00:20.000+10:00
The top-level mediaType member was added in response to CVE-2021-41190, but while it is suggested (SHOULD) it is not required (MUST) and some older tools do not fill this mediaType field (such as skopeo, at least for "index.json"). I plan to use these jq-based validation scripts for umoci, but incompatibility with skopeo is a little annoying (since that is what we use to pull images for our tests). We can work around it for "index.json", but it seems incorrect to claim that an image is invalid because of a missing suggested field. Instead, add an informational message but still permit such images. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
diff --git a/oci.jq b/oci.jq
@@ -250,11 +250,28 @@ def validate_oci_subject_haver:
 	else . end
 ;
 
+# Some objects have .mediaType fields which SHOULD NOT be unset but are still
+# valid if they are missing, so we should emit a warning if they are unset but
+# do not error out.
+# usage: same as validate_IN(.mediaType; options).
+# https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh (CVE-2021-41190)
+# https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md
+# https://github.com/opencontainers/image-spec/blob/v1.1.1/image-index.md
+def validate_optional_mediatype(options):
+	if has("mediaType") then
+		validate_IN(.mediaType; options)
+	else [
+		# Output a warning message.
+		("warning: top-level mediaType field is missing from object (see CVE-2021-41190)\nexpected one of:\n\t\([ options | tojson ] | join("\n\t"))\n" | stderr | empty),
+		.
+	] | last end
+;
+
 # https://github.com/opencontainers/image-spec/blob/v1.1.1/image-index.md
 def validate_oci_index($opt):
 	validate_IN(type; "object")
 	| validate_IN(.schemaVersion; 2)
-	| validate_IN(.mediaType; media_types_index)
+	| validate_optional_mediatype(media_types_index)
 	| if has("artifactType") then
 		validate(.artifactType; type == "string")
 		| validate_IN(.artifactType; null) # TODO acceptable values? (this check intentionally contradicts the one above so artifactType generates an error)
@@ -296,7 +313,7 @@ def validate_oci_index: validate_oci_index({});
 def validate_oci_image($opt):
 	validate_IN(type; "object")
 	| validate_IN(.schemaVersion; 2)
-	| validate_IN(.mediaType; media_types_image)
+	| validate_optional_mediatype(media_types_image)
 	| if has("artifactType") then
 		validate(.artifactType; type == "string")
 		| validate_IN(.artifactType;
