Calculate missing checksum for file:// based images

The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no requirement for checksums in file:// based images. This change checks for this situation. When checksum is missing for file:// based image_source it is now calculated on-the-fly. Change-Id: Ib2fd5ddcbee9a9d1c7e32770ec3d9b6cb20a2e2a
2024-11-22 14:25:39 +13:00 · 2024-11-22 14:25:39 +13:00 · b827c7bf72
commit b827c7bf72
parent 3206da1f25
3 changed files with 33 additions and 2 deletions
--- a/ironic/common/checksum_utils.py
+++ b/ironic/common/checksum_utils.py
@ -156,8 +156,19 @@ def get_checksum_and_algo(instance_info):
        checksum_algo = instance_info.get('image_os_hash_algo')
    else:
        checksum = instance_info.get('image_checksum')
-        if is_checksum_url(checksum):
-            image_source = instance_info.get('image_source')
+        image_source = instance_info.get('image_source')
+
+        # NOTE(stevebaker): file:// images have no requirement to supply
+        # checksums but they are now mandatory for validation as part
+        # of the fix for CVE-2024-47211.
+        # The only practical option is to calculate it here.
+        if checksum is None and image_source.startswith('file:'):
+            checksum_algo = "sha256"
+            image_path = urlparse.urlparse(image_source).path
+            checksum = fileutils.compute_file_checksum(
+                image_path, algorithm=checksum_algo)
+
+        elif is_checksum_url(checksum):
            checksum = get_checksum_from_url(checksum, image_source)

        # NOTE(TheJulia): This is all based on SHA-2 lengths.
--- a/ironic/tests/unit/common/test_checksum_utils.py
+++ b/ironic/tests/unit/common/test_checksum_utils.py
@ -17,6 +17,7 @@
 from unittest import mock

 from oslo_config import cfg
+from oslo_utils import fileutils

 from ironic.common import checksum_utils
 from ironic.common import exception
@ -149,6 +150,18 @@ class IronicChecksumUtilsTestCase(base.TestCase):
        self.assertEqual('f' * 128, csum)
        self.assertEqual('sha512', algo)

+    @mock.patch.object(fileutils, 'compute_file_checksum', autospec=True)
+    def test_get_checksum_and_algo_no_checksum_file_url(self, mock_cfc):
+        i_info = {
+            'image_source': 'file:///var/lib/ironic/images/foo.raw'
+        }
+        mock_cfc.return_value = 'f' * 64
+        csum, algo = checksum_utils.get_checksum_and_algo(i_info)
+        mock_cfc.assert_called_once_with('/var/lib/ironic/images/foo.raw',
+                                         algorithm='sha256')
+        self.assertEqual('f' * 64, csum)
+        self.assertEqual('sha256', algo)
+

@mock.patch.object(image_service.HttpImageService, 'get',
                   autospec=True)
--- a/releasenotes/notes/missing_file_checksum-4931c98031951486.yaml
+++ b/releasenotes/notes/missing_file_checksum-4931c98031951486.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    The fix for CVE-2024-47211 results in image checksum being required in all
+    cases. However there is no checksum requirement for file://
+    based images. When checksum is missing for file:// based image_source it is
+    now calculated on-the-fly.