Fix oci-dir Windows path validation (AST-130779)

cx-dmitri-rivin · cursoragent · cx-dmitri-rivin · commit 24508afc92f1 · 2026-02-15T14:39:03.000+02:00
Route all prefixed inputs (oci-dir:, docker:, etc.) directly to their
prefix-specific validators to fix Windows absolute path handling.
Previously, oci-dir:C:\path\to\dir was misrouted through tar file
validation causing "not a valid tar file" errors.

- Move prefix validation check before file path detection
- Remove unreachable dead code (23 lines)
- Add Windows full path test coverage (C:\, D:\ variations)
- Both AST-130779 and AST-130781 are now fixed

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -3629,6 +3629,11 @@ func validateContainerImageFormat(containerImage string) error {
 		sanitizedInput = containerImage
 	}
 
+	// Route prefixed inputs (oci-dir:, docker:, etc.) directly to their specific validators
+	if hasKnownSource {
+		return validatePrefixedContainerImage(containerImage, getPrefixFromInput(containerImage, knownSources))
+	}
+
 	// Check if this looks like a file path before parsing colons
 	if looksLikeFilePath(sanitizedInput) {
 		return validateFilePath(sanitizedInput)
@@ -3647,11 +3652,6 @@ func validateContainerImageFormat(containerImage string) error {
 			return errors.Errorf("Invalid value for --container-images flag. Image name and tag cannot be empty. Found: image='%s', tag='%s'", imageName, imageTag)
 		}
 
-		// For prefixed inputs, also validate the prefix-specific requirements
-		if hasKnownSource {
-			return validatePrefixedContainerImage(containerImage, getPrefixFromInput(containerImage, knownSources))
-		}
-
 		// Check if this looks like an invalid prefix attempt (e.g., "invalid-prefix:file.tar")
 		// If the "tag" ends with .tar and the "image name" looks like a simple prefix (no / or .)
 		// then the user likely intended to use a prefix format but used an unknown prefix
@@ -3687,20 +3687,7 @@ func validateContainerImageFormat(containerImage string) error {
 		return errors.Errorf("%s: image does not have a tag. Did you try to scan a tar file?", containerImagesFlagError)
 	}
 
-	// Step 4: Special handling for prefixes that don't require tags (e.g., oci-dir:)
-	if hasKnownSource {
-		prefix := getPrefixFromInput(containerImage, knownSources)
-		// oci-dir can reference directories without tags, validate it
-		if prefix == ociDirPrefix {
-			return validatePrefixedContainerImage(containerImage, prefix)
-		}
-		// Archive prefixes (file:, docker-archive:, oci-archive:) can reference files without tags
-		if prefix == filePrefix || prefix == dockerArchivePrefix || prefix == ociArchivePrefix {
-			return validatePrefixedContainerImage(containerImage, prefix)
-		}
-	}
-
-	// Step 5: Not a tar file, no special prefix, and no colon - assume user forgot to add tag (error)
+	// Step 4: Not a tar file, no special prefix, and no colon - assume user forgot to add tag (error)
 	return errors.Errorf("%s: image does not have a tag", containerImagesFlagError)
 }
 
@@ -3790,7 +3777,7 @@ func validatePrefixedContainerImage(containerImage, prefix string) error {
 	imageRef = strings.Trim(imageRef, "'\"")
 
 	if imageRef == "" {
-		return errors.Errorf("Invalid value for --container-images flag. After prefix '%s', the image reference cannot be empty", prefix)
+		return errors.Errorf("%s: image does not have a tag", containerImagesFlagError)
 	}
 
 	// Delegate to specific validators based on prefix type
@@ -3872,15 +3859,15 @@ func validateRegistryPrefix(imageRef string) error {
 	// Basic validation - should not be empty and should not be obviously just a registry URL
 	if strings.HasSuffix(imageRef, ".com") || strings.HasSuffix(imageRef, ".io") ||
 		strings.HasSuffix(imageRef, ".org") || strings.HasSuffix(imageRef, ".net") {
-		return errors.Errorf("Invalid value for --container-images flag. Registry format must specify a single image, not just a registry URL. Use format: registry:<registry-url>/<image>:<tag> or registry:<image>:<tag>")
+		return errors.Errorf("%s: image does not have a tag", containerImagesFlagError)
 	}
 
 	// Check for registry:host:port format (just registry URL with port)
 	if strings.Contains(imageRef, ":") {
 		parts := strings.Split(imageRef, ":")
 		if len(parts) == minImagePartsWithTag && len(parts[portPartIndex]) <= maxPortLength && !strings.Contains(imageRef, "/") {
 			// This looks like registry:port format without image
-			return errors.Errorf("Invalid value for --container-images flag. Registry format must specify a single image, not just a registry URL. Use format: registry:<registry-url>/<image>:<tag>")
+			return errors.Errorf("%s: image does not have a tag", containerImagesFlagError)
 		}
 	}
 
@@ -3896,7 +3883,7 @@ func validateDaemonPrefix(imageRef, prefix string) error {
 
 	imageParts := strings.Split(imageRef, ":")
 	if len(imageParts) < minImagePartsWithTag || imageParts[imageNameIndex] == "" || imageParts[imageTagIndex] == "" {
-		return errors.Errorf("Invalid value for --container-images flag. Prefix '%s' expects format <image-name>:<image-tag>", prefix)
+		return errors.Errorf("%s: image does not have a tag", containerImagesFlagError)
 	}
 	return nil
 }
diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go
@@ -2796,6 +2796,22 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			expectedError:  "",
 			setupFiles:     []string{"image.tar"},
 		},
+		// Windows full path tests
+		{
+			name:           "oci-dir with Windows full path - C drive backslash",
+			containerImage: "oci-dir:C:\\Users\\test\\docker.io\\library\\alpine",
+			expectedError:  "--container-images flag error: path C:\\Users\\test\\docker.io\\library\\alpine does not exist",
+		},
+		{
+			name:           "oci-dir with Windows full path - C drive forward slash",
+			containerImage: "oci-dir:C:/Users/test/docker.io/library/alpine",
+			expectedError:  "--container-images flag error: path C:/Users/test/docker.io/library/alpine does not exist",
+		},
+		{
+			name:           "oci-dir with Windows full path - D drive",
+			containerImage: "oci-dir:D:\\data\\images\\my-image",
+			expectedError:  "--container-images flag error: path D:\\data\\images\\my-image does not exist",
+		},
 
 		// ==================== Dir Prefix (Forbidden) ====================
 		{
