From 8f52674badbb93625e09bca17d4922e5308c707d Mon Sep 17 00:00:00 2001
From: Nghia Tran <nghia@chainguard.dev>
Date: Thu, 23 Jan 2025 16:24:23 -0800
Subject: [PATCH] Disallow `/` in key names

Signed-off-by: Nghia Tran <nghia@chainguard.dev>
---
 pkg/apk/apk/index.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/apk/apk/index.go b/pkg/apk/apk/index.go
index 505dddd1..e16a1dcf 100644
--- a/pkg/apk/apk/index.go
+++ b/pkg/apk/apk/index.go
@@ -343,6 +343,12 @@ func parseRepositoryIndex(ctx context.Context, u string, keys map[string][]byte,
 		if len(keys) == 0 {
 			return nil, fmt.Errorf("no keys provided to verify signature")
 		}
+		// check that they key name aren't paths or URLs
+		for keyName := range keys {
+			if strings.Contains(keyName, "/") {
+				return nil, fmt.Errorf("invalid keyname %q", keyName)
+			}
+		}
 		buf := bytes.NewReader(b)
 		gzipReader, err := gzip.NewReader(buf)
 		if err != nil {