From c2d1fbe507cc1732927ca7c656078cf47754ceeb Mon Sep 17 00:00:00 2001
From: Giorgenes Gelatti <ggelatti@gitlab.com>
Date: Tue, 23 Jul 2019 19:57:28 +1000
Subject: [PATCH] Validates tag names and tags#bulk_destroy

---
 app/controllers/projects/registry/tags_controller.rb | 9 +++++++++
 lib/container_registry/tag.rb                        | 7 +++++++
 2 files changed, 16 insertions(+)

diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb
index 22c87dfe1c0..633a7865cfe 100644
--- a/app/controllers/projects/registry/tags_controller.rb
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -29,7 +29,16 @@ module Projects
       end
 
       def bulk_destroy
+        unless params[:ids].present?
+          head :bad_request
+          return
+        end
+
         @tags = (params[:ids] || []).map { |tag_name| image.tag(tag_name) }
+        unless @tags.all? { |tag| tag.valid_name? }
+          head :bad_request
+          return
+        end
 
         success_count = 0
         @tags.each do |tag|
diff --git a/lib/container_registry/tag.rb b/lib/container_registry/tag.rb
index ef41dc560c9..ebea84fa1ca 100644
--- a/lib/container_registry/tag.rb
+++ b/lib/container_registry/tag.rb
@@ -6,6 +6,9 @@ module ContainerRegistry
 
     attr_reader :repository, :name
 
+    # https://github.com/docker/distribution/commit/3150937b9f2b1b5b096b2634d0e7c44d4a0f89fb
+    TAG_NAME_REGEX = /^[\w][\w.-]{0,127}$/.freeze
+
     delegate :registry, :client, to: :repository
     delegate :revision, :short_revision, to: :config_blob, allow_nil: true
 
@@ -13,6 +16,10 @@ module ContainerRegistry
       @repository, @name = repository, name
     end
 
+    def valid_name?
+      !name.match(TAG_NAME_REGEX).nil?
+    end
+
     def valid?
       manifest.present?
     end