api/pull: Validate repo name

Copy the check for "scratch" image pull attempt from the distribution to the API. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-09-14 14:22:11 +02:00 · 2023-09-14 14:22:11 +02:00 · 0c4397deaf
commit 0c4397deaf
parent ccb37fa567
1 changed files with 15 additions and 0 deletions
--- a/api/server/router/image/image_routes.go
+++ b/api/server/router/image/image_routes.go
@ -2,6 +2,7 @@ package image // import "github.com/docker/docker/api/server/router/image"

 import (
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@ -11,6 +12,7 @@ import (

 	"github.com/containerd/containerd/platforms"
 	"github.com/distribution/reference"
+	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
@ -92,6 +94,10 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 			}
 		}

+		if err := validateRepoName(ref); err != nil {
+			return errdefs.Forbidden(err)
+		}
+
 		// For a pull it is not an error if no auth was given. Ignore invalid
 		// AuthConfig to increase compatibility with the existing API.
 		authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
@ -511,3 +517,12 @@ func (ir *imageRouter) postImagesPrune(ctx context.Context, w http.ResponseWrite
 	}
 	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
 }
+
+// validateRepoName validates the name of a repository.
+func validateRepoName(name reference.Named) error {
+	familiarName := reference.FamiliarName(name)
+	if familiarName == api.NoBaseImageSpecifier {
+		return fmt.Errorf("'%s' is a reserved name", familiarName)
+	}
+	return nil
+}