ocibuild_digest (ocibuild v0.10.4)
View SourceDigest utilities for OCI content addressing.
OCI uses SHA256 digests in the format sha256:<hex> to identify
content-addressable blobs.
Security Note
The encoded/1 function extracts the hash portion from a digest WITHOUT
validation. When using digests from untrusted sources (registry manifests,
tarballs) to construct file paths, callers MUST validate the digest format
first to prevent path traversal attacks.
A malicious digest like sha256:../../etc/passwd would return ../../etc/passwd
from encoded/1, which could escape intended directories when used in file paths.
Safe pattern:
case validate_digest_format(Digest) of
{ok, _} ->
Path = filename:join(Dir, binary_to_list(ocibuild_digest:encoded(Digest)));
{error, _} ->
{error, invalid_digest}
end.Summary
Functions
Extract the algorithm from a digest.
Extract the encoded hash from a digest.
Parse a hex string to binary.
Calculate SHA256 digest of data in OCI format.
Calculate raw SHA256 hash and return as hex string (without algorithm prefix).
Convert binary to lowercase hex string.
Types
-type digest() :: binary().
Functions
Extract the algorithm from a digest.
~"sha256" = ocibuild_digest:algorithm(~"sha256:abc123").Extract the encoded hash from a digest.
~"abc123" = ocibuild_digest:encoded(~"sha256:abc123").Parse a hex string to binary.
Calculate SHA256 digest of data in OCI format.
Returns the digest in the standard OCI format: sha256:<hex>.
~"sha256:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" =
ocibuild_digest:sha256(~"hello").Calculate raw SHA256 hash and return as hex string (without algorithm prefix).
Convert binary to lowercase hex string.