X-Registry-Auth header decode fails silently

moby / moby

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

https://mobyproject.org/

Apache License 2.0

68.67k stars 18.65k forks source link

X-Registry-Auth header decode fails silently #34959

Open platy opened 7 years ago

platy commented 7 years ago

If the base64url or json decoding of the X-Registry-Auth header fails, the error is swallowed and the credentials are taken as empty. https://github.com/moby/moby/blob/4bf8714fac11e95e835cf78eb15ba5a518c67c4b/api/server/router/image/image_routes.go#L98-L107

The code comments states:

    // for a pull it is not an error if no auth was given
    // to increase compatibility with the existing api it is defaulting to be empty

But this situation is not that no auth was given, but that it was badly encoded. If there is a backward compatibility issue, there should be a better way to tackle it than ignoring the header entirely on error.

boaz0 commented 7 years ago

I guess we can print a warning on the server side and print an error on the client side saying that it might be a problem with the authentication.

Jeyanthinath commented 7 years ago

@ripcurld0 I would love to contribute to this project and shall I take this ? and if you give me some leads I would complete it with ease :+1:

boaz0 commented 7 years ago

@Jeyanthinath yes sure, feel free to send a pull request.

I guess you will have to do these steps:

Display a warning message if json.NewDecoder(authJSON).Decode(authConfig) returns err != nil saying that daemon failed decoding X-Registry-Auth
Send another pull request to docker/cli that handles the error and displays a message saying that possibility the given registry-auth is incorrect or something like that.
Add to the docs a note about not using registry authentication when failing to parse X-Registry-Auth

Feel free to IM me at docker-community slack (register here) my handlename is bshust