From 2121f28d3d43164284c02416ef01ec6afd9a5aa6 Mon Sep 17 00:00:00 2001
From: Bahaa Aldeen Ghazal <bahaa.ghazal@northern.tech>
Date: Mon, 23 Dec 2024 12:21:05 +0100
Subject: [PATCH] fix: Check file format when uploading artifacts

Changelog: Title
Ticket: MEN-7860
Signed-off-by: Bahaa Aldeen Ghazal <bahaa.ghazal@northern.tech>
---
 client/deployments/client.go | 37 ++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/client/deployments/client.go b/client/deployments/client.go
index 5ede3d9a..d7c1d3de 100644
--- a/client/deployments/client.go
+++ b/client/deployments/client.go
@@ -14,6 +14,7 @@
 package deployments
 
 import (
+	"archive/tar"
 	"bytes"
 	"encoding/json"
 	"fmt"
@@ -296,6 +297,24 @@ func (c *Client) DirectUpload(
 		return errors.Wrap(err, "Cannot read artifact file stats")
 	}
 
+	tr := tar.NewReader(artifact)
+	versionH, err := tr.Next()
+	if err != nil {
+		return errors.Wrap(err, "Cannot find artifact")
+	} else if versionH.Name != "version" {
+		return errors.New("Invalid artifact format")
+	}
+	v := struct {
+		Format string `json:"format"`
+	}{}
+	err = json.NewDecoder(tr).Decode(&v)
+	if err != nil || v.Format != "mender" {
+		return errors.New("Invalid artifact format")
+	}
+	_, err = artifact.Seek(0, io.SeekStart)
+	if err != nil || v.Format != "mender" {
+		return err
+	}
 	var req *http.Request
 	if !noProgress {
 		// create progress bar
@@ -367,6 +386,24 @@ func (c *Client) UploadArtifact(
 		return errors.Wrap(err, "Cannot read artifact file stats")
 	}
 
+	tr := tar.NewReader(artifact)
+	versionH, err := tr.Next()
+	if err != nil {
+		return errors.Wrap(err, "Cannot find artifact")
+	} else if versionH.Name != "version" {
+		return errors.New("Invalid artifact format")
+	}
+	v := struct {
+		Format string `json:"format"`
+	}{}
+	err = json.NewDecoder(tr).Decode(&v)
+	if err != nil || v.Format != "mender" {
+		return errors.New("Invalid artifact format")
+	}
+	_, err = artifact.Seek(0, io.SeekStart)
+	if err != nil || v.Format != "mender" {
+		return err
+	}
 	// create pipe
 	pR, pW := io.Pipe()