Validate the tags returned by a registry

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-04-18 19:44:05 +03:00 · 2024-04-18 19:10:39 +02:00 · 2024-04-18 19:10:39 +02:00 · 4b2d28a409
commit 4b2d28a409
parent 1b9415b7eb
1 changed files with 6 additions and 1 deletions
--- a/docker/docker_image.go
+++ b/docker/docker_image.go
@ -88,7 +88,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
 		if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil {
 			return nil, err
 		}
-		tags = append(tags, tagsHolder.Tags...)
+		for _, tag := range tagsHolder.Tags {
+			if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
+				return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
+			}
+			tags = append(tags, tag)
+		}

 		link := res.Header.Get("Link")
 		if link == "" {