Metadata API: METAPATHs != top level roles

Add a sanity check that METAPATs are not allowed to be one of the top level metadata roles. For more context read: https://theupdateframework.github.io/specification/latest/#snapshot-metapath Signed-off-by: Martin Vrachev <[email protected]>
theupdateframework · Nov 9, 2021 · 8b21020 · 8b21020
1 parent 07b40d5
commit 8b21020
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/tests/test_metadata_serialization.py b/tests/test_metadata_serialization.py
@@ -268,6 +268,8 @@ def test_timestamp_serialization(self, test_case_data: str):
         "no metafile": '{ "_type": "snapshot", "spec_version": "1.0.0", "version": 1, "expires": "2030-01-01T00:00:00Z"}',
         "meta path empty string": '{ "_type": "snapshot", "spec_version": "1.0.0", "version": 1, "expires": "2030-01-01T00:00:00Z", \
             "meta": { "": {"hashes": {"sha256" : "abc"}, "version": 1} }}',
+        "meta path as top level role": '{ "_type": "snapshot", "spec_version": "1.0.0", "version": 1, "expires": "2030-01-01T00:00:00Z", \
+            "meta": { "root": {"hashes": {"sha256" : "abc"}, "version": 1} }}',
     }
 
     @utils.run_sub_tests_with_dataset(invalid_snapshots)

diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -1028,6 +1028,8 @@ def __init__(
         super().__init__(version, spec_version, expires, unrecognized_fields)
         if any(meta_path == "" for meta_path in meta):
             raise ValueError("All meta paths must be non-empty strings")
+        if any(meta_path in TOP_LEVEL_ROLE_NAMES for meta_path in meta):
+            raise ValueError("Meta paths must not be top-level metadata roles")
         self.meta = meta
 
     @classmethod