argoproj · blakepettersson · Sep 18, 2025 · Sep 18, 2025
@@ -232,12 +232,28 @@ func (c *nativeOCIClient) Extract(ctx context.Context, digest string) (string, u
 			return "", nil, err
 		}
 
-		if len(ociManifest.Layers) != 1 {
-			return "", nil, fmt.Errorf("expected only a single oci layer, got %d", len(ociManifest.Layers))
+		// Add a guard to defend against a ridiculous amount of layers. No idea what a good amount is, but normally we
+		// shouldn't expect more than 2-3 in most real world use cases.
+		if len(ociManifest.Layers) > 10 {
+			return "", nil, fmt.Errorf("expected no more than 10 oci layers, got %d", len(ociManifest.Layers))
 		}
 
-		if !slices.Contains(c.allowedMediaTypes, ociManifest.Layers[0].MediaType) {
-			return "", nil, fmt.Errorf("oci layer media type %s is not in the list of allowed media types", ociManifest.Layers[0].MediaType)
+		contentLayers := 0
+
+		// Strictly speaking we only allow for a single content layer. There are images which contains extra layers, such
+		// as provenance/attestation layers. Pending a better story to do this natively, we will skip such layers for now.
+		for _, layer := range ociManifest.Layers {
+			if isContentLayer(layer.MediaType) {
+				if !slices.Contains(c.allowedMediaTypes, layer.MediaType) {
+					return "", nil, fmt.Errorf("oci layer media type %s is not in the list of allowed media types", layer.MediaType)
+				}
+
+				contentLayers++
+			}
+		}
+
+		if contentLayers != 1 {
+			return "", nil, fmt.Errorf("expected only a single oci content layer, got %d", contentLayers)
 		}
 
 		err = saveCompressedImageToPath(ctx, digest, c.repo, cachedPath)
@@ -405,7 +421,15 @@ func fileExists(filePath string) (bool, error) {
 	return true, nil
 }
 
+// TODO: A content layer could in theory be something that is not a compressed file, e.g a single yaml file or like.
+// While IMO the utility in the context of Argo CD is limited, I'd at least like to make it known here and add an extensibility
+// point for it in case we decide to loosen the current requirements.
+func isContentLayer(mediaType string) bool {
+	return isCompressedLayer(mediaType)
+}
+
 func isCompressedLayer(mediaType string) bool {
+	// TODO: Is zstd something which is used in the wild? For now let's stick to these suffixes
 	return strings.HasSuffix(mediaType, "tar+gzip") || strings.HasSuffix(mediaType, "tar")
 }
 
@@ -500,7 +524,7 @@ func isHelmOCI(mediaType string) bool {
 // Push looks in all the layers of an OCI image. Once it finds a layer that is compressed, it extracts the layer to a tempDir
 // and then renames the temp dir to the directory where the repo-server expects to find k8s manifests.
 func (s *compressedLayerExtracterStore) Push(ctx context.Context, desc imagev1.Descriptor, content io.Reader) error {
-	if isCompressedLayer(desc.MediaType) {
+	if isContentLayer(desc.MediaType) {
 		srcDir, err := files.CreateTempDir(os.TempDir())
 		if err != nil {
 			return err

@@ -122,7 +122,7 @@ func Test_nativeOCIClient_Extract(t *testing.T) {
 			expectedError: errors.New("cannot extract contents of oci image with revision sha256:1b6dfd71e2b35c2f35dffc39007c2276f3c0e235cbae4c39cba74bd406174e22: failed to perform \"Push\" on destination: could not decompress layer: error while iterating on tar reader: unexpected EOF"),
 		},
 		{
-			name: "extraction fails due to multiple layers",
+			name: "extraction fails due to multiple content layers",
 			fields: fields{
 				allowedMediaTypes: []string{imagev1.MediaTypeImageLayerGzip},
 			},
@@ -135,7 +135,21 @@ func Test_nativeOCIClient_Extract(t *testing.T) {
 				manifestMaxExtractedSize:        1000,
 				disableManifestMaxExtractedSize: false,
 			},
-			expectedError: errors.New("expected only a single oci layer, got 2"),
+			expectedError: errors.New("expected only a single oci content layer, got 2"),
+		},
+		{
+			name: "extraction with multiple layers, but just a single content layer",
+			fields: fields{
+				allowedMediaTypes: []string{imagev1.MediaTypeImageLayerGzip},
+			},
+			args: args{
+				digestFunc: func(store *memory.Store) string {
+					layerBlob := createGzippedTarWithContent(t, "some-path", "some content")
+					return generateManifest(t, store, layerConf{content.NewDescriptorFromBytes(imagev1.MediaTypeImageLayerGzip, layerBlob), layerBlob}, layerConf{content.NewDescriptorFromBytes("application/vnd.cncf.helm.chart.provenance.v1.prov", []byte{}), []byte{}})
+				},
+				manifestMaxExtractedSize:        1000,
+				disableManifestMaxExtractedSize: false,
+			},
 		},
 		{
 			name: "extraction fails due to invalid media type",