api/pull: Validate repo name

Copy the check for "scratch" image pull attempt from the distribution
to the API.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

api/server/router/image/image_routes.go

@@ -2,6 +2,7 @@ package image // import "github.com/docker/docker/api/server/router/image"
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -11,6 +12,7 @@ import (
 
 	"github.com/containerd/containerd/platforms"
 	"github.com/distribution/reference"
+	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
@@ -92,6 +94,10 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit
 			}
 		}
 
+		if err := validateRepoName(ref); err != nil {
+			return errdefs.Forbidden(err)
+		}
+
 		// For a pull it is not an error if no auth was given. Ignore invalid
 		// AuthConfig to increase compatibility with the existing API.
 		authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))
@@ -511,3 +517,12 @@ func (ir *imageRouter) postImagesPrune(ctx context.Context, w http.ResponseWrite
 	}
 	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
 }
+
+// validateRepoName validates the name of a repository.
+func validateRepoName(name reference.Named) error {
+	familiarName := reference.FamiliarName(name)
+	if familiarName == api.NoBaseImageSpecifier {
+		return fmt.Errorf("'%s' is a reserved name", familiarName)
+	}
+	return nil
+}