Skip to content

Commit 1179343

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#94712 from droslean/cred-leak
[credentialprovider] avoid potential secret leaking while reading .dockercfg
2 parents 3a42886 + b907f9e commit 1179343

File tree

2 files changed

+102
-7
lines changed

2 files changed

+102
-7
lines changed

pkg/credentialprovider/config.go

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -117,10 +117,14 @@ func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
117117
continue
118118
}
119119
cfg, err := readDockerConfigFileFromBytes(contents)
120-
if err == nil {
121-
klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
122-
return cfg, nil
120+
if err != nil {
121+
klog.V(4).Infof("couldn't get the config from %q contents: %v", absDockerConfigFileLocation, err)
122+
continue
123123
}
124+
125+
klog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
126+
return cfg, nil
127+
124128
}
125129
return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
126130
}
@@ -230,17 +234,15 @@ func ReadDockerConfigFileFromURL(url string, client *http.Client, header *http.H
230234

231235
func readDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
232236
if err = json.Unmarshal(contents, &cfg); err != nil {
233-
klog.Errorf("while trying to parse blob %q: %v", contents, err)
234-
return nil, err
237+
return nil, errors.New("error occurred while trying to unmarshal json")
235238
}
236239
return
237240
}
238241

239242
func readDockerConfigJSONFileFromBytes(contents []byte) (cfg DockerConfig, err error) {
240243
var cfgJSON DockerConfigJSON
241244
if err = json.Unmarshal(contents, &cfgJSON); err != nil {
242-
klog.Errorf("while trying to parse blob %q: %v", contents, err)
243-
return nil, err
245+
return nil, errors.New("error occurred while trying to unmarshal json")
244246
}
245247
cfg = cfgJSON.Auths
246248
return

pkg/credentialprovider/config_test.go

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -309,3 +309,96 @@ func TestDockerConfigEntryJSONCompatibleEncode(t *testing.T) {
309309
}
310310
}
311311
}
312+
313+
func TestReadDockerConfigFileFromBytes(t *testing.T) {
314+
testCases := []struct {
315+
id string
316+
input []byte
317+
expectedCfg DockerConfig
318+
errorExpected bool
319+
expectedErrorMsg string
320+
}{
321+
{
322+
id: "valid input, no error expected",
323+
input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"}}`),
324+
expectedCfg: DockerConfig(map[string]DockerConfigEntry{
325+
"http://foo.example.com": {
326+
Username: "foo",
327+
Password: "bar",
328+
Email: "[email protected]",
329+
},
330+
}),
331+
},
332+
{
333+
id: "invalid input, error expected",
334+
input: []byte(`{"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"`),
335+
errorExpected: true,
336+
expectedErrorMsg: "error occurred while trying to unmarshal json",
337+
},
338+
}
339+
340+
for _, tc := range testCases {
341+
cfg, err := readDockerConfigFileFromBytes(tc.input)
342+
if err != nil && !tc.errorExpected {
343+
t.Fatalf("Error was not expected: %v", err)
344+
}
345+
if err != nil && tc.errorExpected {
346+
if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
347+
t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
348+
}
349+
} else {
350+
if !reflect.DeepEqual(cfg, tc.expectedCfg) {
351+
t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
352+
}
353+
}
354+
}
355+
}
356+
357+
func TestReadDockerConfigJSONFileFromBytes(t *testing.T) {
358+
testCases := []struct {
359+
id string
360+
input []byte
361+
expectedCfg DockerConfig
362+
errorExpected bool
363+
expectedErrorMsg string
364+
}{
365+
{
366+
id: "valid input, no error expected",
367+
input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "[email protected]"}}}`),
368+
expectedCfg: DockerConfig(map[string]DockerConfigEntry{
369+
"http://foo.example.com": {
370+
Username: "foo",
371+
Password: "bar",
372+
Email: "[email protected]",
373+
},
374+
"http://bar.example.com": {
375+
Username: "bar",
376+
Password: "baz",
377+
Email: "[email protected]",
378+
},
379+
}),
380+
},
381+
{
382+
id: "invalid input, error expected",
383+
input: []byte(`{"auths": {"http://foo.example.com":{"username": "foo", "password": "bar", "email": "[email protected]"}, "http://bar.example.com":{"username": "bar", "password": "baz", "email": "[email protected]"`),
384+
errorExpected: true,
385+
expectedErrorMsg: "error occurred while trying to unmarshal json",
386+
},
387+
}
388+
389+
for _, tc := range testCases {
390+
cfg, err := readDockerConfigJSONFileFromBytes(tc.input)
391+
if err != nil && !tc.errorExpected {
392+
t.Fatalf("Error was not expected: %v", err)
393+
}
394+
if err != nil && tc.errorExpected {
395+
if !reflect.DeepEqual(err.Error(), tc.expectedErrorMsg) {
396+
t.Fatalf("Expected error message: `%s` got `%s`", tc.expectedErrorMsg, err.Error())
397+
}
398+
} else {
399+
if !reflect.DeepEqual(cfg, tc.expectedCfg) {
400+
t.Fatalf("expected: %v got %v", tc.expectedCfg, cfg)
401+
}
402+
}
403+
}
404+
}

0 commit comments

Comments
 (0)