Fix bug which allowed for implicit library namespace access via the V1 registry protocol when the feature flag was off
Now we raise a 400 as expected
This commit is contained in:
Joseph Schorr
parent
178c8e7cb0
commit
77adf9dd77
2 changed files with 20 additions and 5 deletions
|
|
@ -9,7 +9,7 @@ import features
|
||||||
|
|
||||||
from app import app
|
from app import app
|
||||||
from auth.auth_context import get_authenticated_context
|
from auth.auth_context import get_authenticated_context
|
||||||
from util.names import parse_namespace_repository
|
from util.names import parse_namespace_repository, ImplicitLibraryNamespaceNotAllowed
|
||||||
from util.http import abort
|
from util.http import abort
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
@ -26,9 +26,14 @@ def parse_repository_name(include_tag=False,
|
||||||
def inner(func):
|
def inner(func):
|
||||||
@wraps(func)
|
@wraps(func)
|
||||||
def wrapper(*args, **kwargs):
|
def wrapper(*args, **kwargs):
|
||||||
repo_name_components = parse_namespace_repository(kwargs[incoming_repo_kwarg],
|
try:
|
||||||
app.config['LIBRARY_NAMESPACE'],
|
repo_name_components = parse_namespace_repository(kwargs[incoming_repo_kwarg],
|
||||||
include_tag=include_tag)
|
app.config['LIBRARY_NAMESPACE'],
|
||||||
|
include_tag=include_tag,
|
||||||
|
allow_library=features.LIBRARY_SUPPORT)
|
||||||
|
except ImplicitLibraryNamespaceNotAllowed:
|
||||||
|
abort(400)
|
||||||
|
|
||||||
del kwargs[incoming_repo_kwarg]
|
del kwargs[incoming_repo_kwarg]
|
||||||
kwargs[ns_kwarg_name] = repo_name_components[0]
|
kwargs[ns_kwarg_name] = repo_name_components[0]
|
||||||
kwargs[repo_kwarg_name] = repo_name_components[1]
|
kwargs[repo_kwarg_name] = repo_name_components[1]
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,13 @@ TAG_REGEX = re.compile(FULL_TAG_PATTERN)
|
||||||
TAG_ERROR = ('Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", '
|
TAG_ERROR = ('Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", '
|
||||||
'and can contain 1-128 characters')
|
'and can contain 1-128 characters')
|
||||||
|
|
||||||
|
|
||||||
|
class ImplicitLibraryNamespaceNotAllowed(Exception):
|
||||||
|
""" Exception raised if the implicit library namespace was specified but is
|
||||||
|
not allowed. """
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
def escape_tag(tag, default='latest'):
|
def escape_tag(tag, default='latest'):
|
||||||
""" Escapes a Docker tag, ensuring it matches the tag regular expression. """
|
""" Escapes a Docker tag, ensuring it matches the tag regular expression. """
|
||||||
if not tag:
|
if not tag:
|
||||||
|
|
@ -24,13 +31,16 @@ def escape_tag(tag, default='latest'):
|
||||||
return tag[0:127]
|
return tag[0:127]
|
||||||
|
|
||||||
|
|
||||||
def parse_namespace_repository(repository, library_namespace, include_tag=False):
|
def parse_namespace_repository(repository, library_namespace, include_tag=False,
|
||||||
|
allow_library=True):
|
||||||
repository = repository.encode('unidecode', 'ignore')
|
repository = repository.encode('unidecode', 'ignore')
|
||||||
|
|
||||||
parts = repository.rstrip('/').split('/', 1)
|
parts = repository.rstrip('/').split('/', 1)
|
||||||
if len(parts) < 2:
|
if len(parts) < 2:
|
||||||
namespace = library_namespace
|
namespace = library_namespace
|
||||||
repository = parts[0]
|
repository = parts[0]
|
||||||
|
if not allow_library:
|
||||||
|
raise ImplicitLibraryNamespaceNotAllowed()
|
||||||
else:
|
else:
|
||||||
(namespace, repository) = parts
|
(namespace, repository) = parts
|
||||||
|
|
||||||
|
|
|
||||||
Reference in a new issue