KEMBAR78
fix: Don't return JSON auth config for partial registry name match by kiview · Pull Request #6323 · testcontainers/testcontainers-java · GitHub
Skip to content

fix: Don't return JSON auth config for partial registry name match #6323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 10, 2023
Merged

fix: Don't return JSON auth config for partial registry name match #6323

merged 1 commit into from
Jan 10, 2023

Conversation

@kiview
Copy link
Member

@kiview kiview commented Dec 23, 2022
edited
Loading

With the current implementation, looking up the JSON file based auth config for an image registry.example.co/org/repo would return the auth config for https://registry.example.com (note the missing m from the TLD of the image name).

I can not think of a case where this is a desired behavior and in addition, this could be a potential part in a more sophisticated exploit chain (although I don't expect this to be likely for Testcontainers usage scenarios).

This implementation mitigates this issue by ensuring that the parsed repository name has to exactly match the string of the registry following the protocol (http(s)://).

@kiview kiview requested a review from a team December 23, 2022 14:32
@HofmeisterAn
Copy link
Contributor

/cc @cristianrgreco

@HofmeisterAn HofmeisterAn mentioned this pull request Jan 3, 2023
Closed
@eddumelendez eddumelendez added this to the next milestone Jan 10, 2023
@eddumelendez eddumelendez merged commit dee69b2 into main Jan 10, 2023
@eddumelendez eddumelendez deleted the fix-registry-lookup branch January 10, 2023 16:01
@cristianrgreco cristianrgreco mentioned this pull request Mar 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eddumelendez eddumelendez eddumelendez approved these changes

@HofmeisterAn HofmeisterAn HofmeisterAn approved these changes

Assignees

No one assigned

Labels

type/bug

Projects

None yet

Milestone

1.18.0

Development

Successfully merging this pull request may close these issues.

3 participants

@kiview @HofmeisterAn @eddumelendez