Proposal : centralize validations / checks between cli, api & builder

[vdemeester]

As discussed a little bit on there #10409 (and more other issues and IRC I guess), we might want to have a package to handle validations that could be used in all builder, api and cli. I'm quoting @cpuguy83. An example is the following issue : #13821 where the check is done in cli and not at all in the API part of it ; leading to unwanted behavior.

What we could do is have an actual validator that gets checked before a container is even attempted to be created, and make sure that validation happens for each user input (builder, api, cli), and that it's all the same validator, since right now it's all over the place.

I propose to have a pkg/validation that would centralize validations and ease maintaining this as it gets updated. Not sure the name pkg/validation is the right one but..

I'm thinking of a way to make it as easy and flexible as possible but do not have a final idea in the head. In the current state of thinking I had (which is still pretty small), I was thinking we could have some sort of struct where we could set the context of the validation (cli, api, builder). The validation method would skip things or do differently depending on the context ; something roughly like the following.

// Have a way to get/build it easily
cliValidator := validators.ForCli()
builderValidator := validators.ForAPI()

// Same method on both
cliValidator.ValidateTagName(…, …)
builderValidator.ValidateTagName(…, …)

// Method
func (v *Validator) ValidateTageName(…) error {
    // Do some common validation
    if isCli(v) {
        // Do some cli-only specific validation
    }
    if isAPI(v) {
        // Do some API-only validation
    }
    // Do some more common validation
}

It's really rough and I'm still looking for information, opinion, critics 😉. Any input is more than welcome 😝.

If it feels we want to implement this, it should probably be cut in several PR (for the general way to do this, and for each type of validations : volumes, repository/tag name, …), but I'm probably way ahead of myself here 😅.

[hqhq]

Leave the validation to the data's own package seems more reasonable to me, problems like #13821 and #10409 are more about where to do the validation than how to do the validation, can this proposal resolve this? Are you trying to do all validation in one place? I'm not sure it'll work for all cases.

[runcom]

pkg/* isn't really good to me, usually pkgs tends to be docker agnostic. Maybe top level

[cpuguy83]

Agreed, validations should be kept in the package that's being called (probably daemon in these cases).
It's just that validations really ought to happen before a container is ever created so that config issues can be surfaced immediately.

[runcom]

+1 to the idea tho :)

[vdemeester]

@runcom hum right, pkg/… is not the right idea then. I've renamed the issue to be less specific.

@hqhq @cpuguy83 ok, it seems reasonable to let the validation in the package they are needed. The purpose of this proposal is just to centralize a bit the validation checks so that we don't end up with different validation behavior when using cli or api (and builder too then).

The #13821 is not really a good example as the only checks that is done in the client part is ValidateRepositoryName, the rest are done on the server side.

But If we take a look at volumes :

• client side : we do validate the format using opts.ValidatePath.
• server side : we do validate this in daemon.parseVolumeSource (volume_stubs.go), daemon.parseBindMount, not the exact same way.
• builder side : as Bad volume path sanitisation and checks. #10409 state, there is no real check.
  So it's not possible to use -v /::rw as cli option, but using the api, /::rw is valid. And in Bad volume path sanitisation and checks. #10409 (comment), we can put pretty much anything 😓 (even environment variables).

By centralizing a bit those kind of changes, it would make some thing more coherent between the use of the API, the CLI and with the builder.

[cyphar]

I am +1 on any change that centralises our path sanitisation / validation (and general sanitisation / validation stuff). One of the biggest security-facing issues we have in Docker is that we have 15 different implementations of the same santisation / validation code, and a bug in one of those implementations is less that trivial to find (since only one endpoint is vulnerable).

The issue with making validation a package is that there is a bunch of stateful information (such as the state of the daemon or a container) that is relevant to validation of input.