Skip to content

Commit 49b52ba

Browse files
simonbairdclaude
simonbaird
and
claude
committed
Fix non-constant format string errors in Go 1.24.6
Updated ImageReferenceInStubRegistry function to accept a pre-composed string instead of format string + args to comply with Go 1.24.6's stricter format string validation that prevents format string injection vulnerabilities. See also commit 9a8c021 in release-v0.6 branch which is similar, and also 12e1018 in release-v0.7 branch. Co-authored-by: Claude Code <[email protected]>
1 parent ef63673 commit 49b52ba

File tree

3 files changed

+12
-12
lines changed

3 files changed

+12
-12
lines changed

acceptance/image/image.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,7 @@ func CreateAndPushImageSignature(ctx context.Context, imageName string, keyName
198198
}
199199

200200
// the name of the image + the <hash>.sig tag
201-
ref, err := registry.ImageReferenceInStubRegistry(ctx, imageName+":%s-%s.sig", digest.Algorithm, digest.Hex)
201+
ref, err := registry.ImageReferenceInStubRegistry(ctx, fmt.Sprintf("%s:%s-%s.sig", imageName, digest.Algorithm, digest.Hex))
202202
if err != nil {
203203
return ctx, err
204204
}
@@ -306,7 +306,7 @@ func createAndPushAttestationWithPatches(ctx context.Context, imageName, keyName
306306
}
307307

308308
// the name of the image + the <hash>.att tag
309-
ref, err := registry.ImageReferenceInStubRegistry(ctx, imageName+":%s-%s.att", digest.Algorithm, digest.Hex)
309+
ref, err := registry.ImageReferenceInStubRegistry(ctx, fmt.Sprintf("%s:%s-%s.att", imageName, digest.Algorithm, digest.Hex))
310310
if err != nil {
311311
return ctx, err
312312
}
@@ -401,7 +401,7 @@ func createAndPushImageWithLayer(ctx context.Context, imageName string, files *g
401401
func createAndPushLayer(ctx context.Context, content string, imageName string) (context.Context, error) {
402402
l := s.NewLayer([]byte(content), types.OCIUncompressedLayer)
403403

404-
ref, err := registry.ImageReferenceInStubRegistry(ctx, "%s", imageName)
404+
ref, err := registry.ImageReferenceInStubRegistry(ctx, imageName)
405405
if err != nil {
406406
return ctx, err
407407
}
@@ -489,7 +489,7 @@ func createAndPushPlainImage(ctx context.Context, imageName string, patch patchF
489489
return ctx, "", err
490490
}
491491

492-
ref, err := registry.ImageReferenceInStubRegistry(ctx, "%s", imageName)
492+
ref, err := registry.ImageReferenceInStubRegistry(ctx, imageName)
493493
if err != nil {
494494
return ctx, "", err
495495
}
@@ -535,7 +535,7 @@ func resolveRefDigest(url string) (string, error) {
535535
// createAndPushKeylessImage loads an existing image from disk, along its signature and attestation
536536
// into the docker registry.
537537
func createAndPushKeylessImage(ctx context.Context, imageName string) (context.Context, error) {
538-
ref, err := registry.ImageReferenceInStubRegistry(ctx, "%s", imageName)
538+
ref, err := registry.ImageReferenceInStubRegistry(ctx, imageName)
539539
if err != nil {
540540
return ctx, err
541541
}
@@ -705,7 +705,7 @@ func createAndPushPolicyBundle(ctx context.Context, imageName string, files *god
705705
}
706706
}
707707

708-
ref, err := registry.ImageReferenceInStubRegistry(ctx, "%s", imageName)
708+
ref, err := registry.ImageReferenceInStubRegistry(ctx, imageName)
709709
if err != nil {
710710
return ctx, err
711711
}
@@ -912,7 +912,7 @@ func steal(what string) func(context.Context, string, string) (context.Context,
912912
return ctx, err
913913
}
914914

915-
fromRef, err := registry.ImageReferenceInStubRegistry(ctx, signatureFrom+":%s-%s.%s", fromDigest.Algorithm, fromDigest.Hex, what)
915+
fromRef, err := registry.ImageReferenceInStubRegistry(ctx, fmt.Sprintf("%s:%s-%s.%s", signatureFrom, fromDigest.Algorithm, fromDigest.Hex, what))
916916
if err != nil {
917917
return ctx, err
918918
}
@@ -932,7 +932,7 @@ func steal(what string) func(context.Context, string, string) (context.Context,
932932
return ctx, err
933933
}
934934

935-
toRef, err := registry.ImageReferenceInStubRegistry(ctx, imageName+":%s-%s.%s", toDigest.Algorithm, toDigest.Hex, what)
935+
toRef, err := registry.ImageReferenceInStubRegistry(ctx, fmt.Sprintf("%s:%s-%s.%s", imageName, toDigest.Algorithm, toDigest.Hex, what))
936936
if err != nil {
937937
return ctx, err
938938
}

acceptance/registry/registry.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -99,14 +99,14 @@ func startStubRegistry(ctx context.Context) (context.Context, error) {
9999
}
100100

101101
// ImageReferenceInStubRegistry returns a reference for an image constructed by concatenating
102-
// the host:port/`name` where the name is formatted by the given format and arguments
103-
func ImageReferenceInStubRegistry(ctx context.Context, format string, args ...interface{}) (name.Reference, error) {
102+
// the host:port/`imageName`
103+
func ImageReferenceInStubRegistry(ctx context.Context, imageName string) (name.Reference, error) {
104104
registry, err := StubRegistry(ctx)
105105
if err != nil {
106106
return nil, err
107107
}
108108

109-
imageRef := registry + "/" + fmt.Sprintf(format, args...)
109+
imageRef := registry + "/" + imageName
110110

111111
ref, err := name.ParseReference(imageRef)
112112
if err != nil {

acceptance/tekton/bundles.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ func createTektonBundle(ctx context.Context, name string, data *godog.Table) (co
7878
}
7979
}
8080

81-
ref, err := registry.ImageReferenceInStubRegistry(ctx, "%s", name)
81+
ref, err := registry.ImageReferenceInStubRegistry(ctx, name)
8282
if err != nil {
8383
return ctx, err
8484
}

0 commit comments

Comments
 (0)