From bcba79c10eb93159962670dc672ac3f00f00ddbe Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Oct 2025 16:00:21 +0000
Subject: [PATCH 1/3] Initial plan


From 306dcf987584f7beab9c9607bf71420678d51ace Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Oct 2025 16:12:50 +0000
Subject: [PATCH 2/3] Add Docker authentication support for pulling from
 authenticated repos

Co-authored-by: ericcurtin <1694275+ericcurtin@users.noreply.github.com>
---
 common/arg.cpp | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/common/arg.cpp b/common/arg.cpp
index 54df2df87276c..5e323b6e4ac66 100644
--- a/common/arg.cpp
+++ b/common/arg.cpp
@@ -813,11 +813,65 @@ std::pair<long, std::vector<char>> common_remote_get_content(const std::string &
 // Docker registry functions
 //
 
+// Read Docker credentials from ~/.docker/config.json
+static std::string common_docker_get_credentials() {
+    const char * home = std::getenv("HOME");
+    if (!home) {
+#ifdef _WIN32
+        home = std::getenv("USERPROFILE");
+        if (!home) {
+            return "";
+        }
+#else
+        return "";
+#endif
+    }
+
+    std::string   config_path = std::string(home) + "/.docker/config.json";
+    std::ifstream config_file(config_path);
+    if (!config_file.is_open()) {
+        return "";
+    }
+
+    try {
+        nlohmann::ordered_json config;
+        config_file >> config;
+        config_file.close();
+
+        // Docker Hub registry can be listed as "https://index.docker.io/v1/" or similar
+        std::vector<std::string> registry_urls = {
+            "https://index.docker.io/v1/",
+            "index.docker.io",
+            "docker.io",
+        };
+
+        for (const auto & registry_url : registry_urls) {
+            if (config.contains("auths") && config["auths"].contains(registry_url)) {
+                const auto & auth_entry = config["auths"][registry_url];
+                if (auth_entry.contains("auth") && auth_entry["auth"].is_string()) {
+                    return auth_entry["auth"].get<std::string>();
+                }
+            }
+        }
+    } catch (const std::exception & e) {
+        LOG_DBG("%s: Failed to parse Docker config: %s\n", __func__, e.what());
+    }
+
+    return "";
+}
+
 static std::string common_docker_get_token(const std::string & repo) {
     std::string url = "https://auth.docker.io/token?service=registry.docker.io&scope=repository:" + repo + ":pull";
 
     common_remote_params params;
-    auto                 res = common_remote_get_content(url, params);
+
+    // Add Docker credentials if available
+    std::string credentials = common_docker_get_credentials();
+    if (!credentials.empty()) {
+        params.headers.push_back("Authorization: Basic " + credentials);
+    }
+
+    auto res = common_remote_get_content(url, params);
 
     if (res.first != 200) {
         throw std::runtime_error("Failed to get Docker registry token, HTTP code: " + std::to_string(res.first));

From 263bdd3afd6ae185adb4c49feb422bd53eea7c51 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Oct 2025 16:17:09 +0000
Subject: [PATCH 3/3] Address code review feedback: improve cross-platform
 support and security

Co-authored-by: ericcurtin <1694275+ericcurtin@users.noreply.github.com>
---
 common/arg.cpp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/common/arg.cpp b/common/arg.cpp
index 5e323b6e4ac66..65ee2c59eeb6f 100644
--- a/common/arg.cpp
+++ b/common/arg.cpp
@@ -827,16 +827,25 @@ static std::string common_docker_get_credentials() {
 #endif
     }
 
-    std::string   config_path = std::string(home) + "/.docker/config.json";
-    std::ifstream config_file(config_path);
+    std::filesystem::path config_path = std::filesystem::path(home) / ".docker" / "config.json";
+    std::ifstream         config_file(config_path);
     if (!config_file.is_open()) {
         return "";
     }
 
     try {
+        // Check file size to prevent memory exhaustion (Docker config should be small)
+        config_file.seekg(0, std::ios::end);
+        const auto file_size = config_file.tellg();
+        config_file.seekg(0, std::ios::beg);
+
+        if (file_size > 1024 * 1024) {  // Limit to 1MB
+            LOG_DBG("%s: Docker config file too large: %ld bytes\n", __func__, static_cast<long>(file_size));
+            return "";
+        }
+
         nlohmann::ordered_json config;
         config_file >> config;
-        config_file.close();
 
         // Docker Hub registry can be listed as "https://index.docker.io/v1/" or similar
         std::vector<std::string> registry_urls = {
@@ -854,7 +863,7 @@ static std::string common_docker_get_credentials() {
             }
         }
     } catch (const std::exception & e) {
-        LOG_DBG("%s: Failed to parse Docker config: %s\n", __func__, e.what());
+        LOG_DBG("%s: Failed to parse Docker config at %s: %s\n", __func__, config_path.string().c_str(), e.what());
     }
 
     return "";