bundle: Roundtrip manifest before hashing

When OPA verifies the content of the manifest file, it first parses it into a JSON structure and then recursively orders the fields of all objects alphabetically and then applies the hash function. The same process was not followed while generating the hash for the manifest content which would result in a digest mismatch during verification. This can be observed with a manifest that contains metadata. Fixes: #4233 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
open-policy-agent · Jan 19, 2022 · d2c11e5 · d2c11e5
1 parent a75b74d
commit d2c11e5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/bundle/bundle.go b/bundle/bundle.go
@@ -750,10 +750,24 @@ func hashBundleFiles(hash SignatureHasher, b *Bundle) ([]FileInfo, error) {
 		files = append(files, NewFile(strings.TrimPrefix(wasmModule.Path, "/"), hex.EncodeToString(bs), defaultHashingAlg))
 	}
 
-	bs, err = hash.HashFile(b.Manifest)
+	// Parse the manifest into a JSON structure;
+	// then recursively order the fields of all objects alphabetically and then apply
+	// the hash function to result to compute the hash.
+	mbs, err := json.Marshal(b.Manifest)
 	if err != nil {
 		return files, err
 	}
+
+	var result map[string]interface{}
+	if err := util.Unmarshal(mbs, &result); err != nil {
+		return files, err
+	}
+
+	bs, err = hash.HashFile(result)
+	if err != nil {
+		return files, err
+	}
+
 	files = append(files, NewFile(strings.TrimPrefix(ManifestExt, "/"), hex.EncodeToString(bs), defaultHashingAlg))
 
 	return files, err

diff --git a/bundle/bundle_test.go b/bundle/bundle_test.go
@@ -851,7 +851,9 @@ func TestRoundtrip(t *testing.T) {
 			},
 		},
 		Manifest: Manifest{
+			Roots:    &[]string{""},
 			Revision: "quickbrownfaux",
+			Metadata: map[string]interface{}{"version": "v1", "hello": "world"},
 		},
 	}