Merge pull request from GHSA-xcq4-m2r3-cmrj

* Update azure.go * Update ecr.go * Update google.go * Update ecr_test.go * Update azure_test.go * Update google_test.go
aquasecurity · May 20, 2024 · cc489b1 · cc489b1
1 parent 013f71a
commit cc489b1
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 6 deletions.
diff --git a/pkg/fanal/image/registry/azure/azure.go b/pkg/fanal/image/registry/azure/azure.go
@@ -20,7 +20,7 @@ type Registry struct {
 }
 
 const (
-	azureURL = "azurecr.io"
+	azureURL = ".azurecr.io"
 	scope    = "https://management.azure.com/.default"
 	scheme   = "https"
 )

diff --git a/pkg/fanal/image/registry/azure/azure_test.go b/pkg/fanal/image/registry/azure/azure_test.go
@@ -19,6 +19,11 @@ func TestRegistry_CheckOptions(t *testing.T) {
 			name:   "happy path",
 			domain: "test.azurecr.io",
 		},
+		{
+			name:    "invalidURL",
+			domain:  "not-azurecr.io",
+			wantErr: "Azure registry: invalid url pattern",
+		},
 		{
 			name:    "invalidURL",
 			domain:  "alpine:3.9",

diff --git a/pkg/fanal/image/registry/ecr/ecr.go b/pkg/fanal/image/registry/ecr/ecr.go
@@ -14,7 +14,8 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
-const ecrURL = "amazonaws.com"
+const ecrURLSuffix = ".amazonaws.com"
+const ecrURLPartial = ".dkr.ecr"
 
 type ecrAPI interface {
 	GetAuthorizationToken(ctx context.Context, params *ecr.GetAuthorizationTokenInput, optFns ...func(*ecr.Options)) (*ecr.GetAuthorizationTokenOutput, error)
@@ -37,7 +38,7 @@ func getSession(option types.RegistryOptions) (aws.Config, error) {
 }
 
 func (e *ECR) CheckOptions(domain string, option types.RegistryOptions) error {
-	if !strings.HasSuffix(domain, ecrURL) {
+	if !strings.HasSuffix(domain, ecrURLSuffix) && !strings.Contains(domain, ecrURLPartial)  {
 		return xerrors.Errorf("ECR : %w", types.InvalidURLPattern)
 	}
 

diff --git a/pkg/fanal/image/registry/ecr/ecr_test.go b/pkg/fanal/image/registry/ecr/ecr_test.go
@@ -21,6 +21,14 @@ func TestCheckOptions(t *testing.T) {
 			domain:  "alpine:3.9",
 			wantErr: types.InvalidURLPattern,
 		},
+		"InvalidDomain": {
+			domain: "xxx.ecr.ap-northeast-1.not-amazonaws.com",
+			wantErr: types.InvalidURLPattern,
+		},
+		"InvalidSubdomain": {
+			domain: "xxx.s3.ap-northeast-1.amazonaws.com",
+			wantErr: types.InvalidURLPattern,
+		},
 		"NoOption": {
 			domain: "xxx.ecr.ap-northeast-1.amazonaws.com",
 		},

diff --git a/pkg/fanal/image/registry/google/google.go b/pkg/fanal/image/registry/google/google.go
@@ -18,13 +18,14 @@ type Registry struct {
 }
 
 // Google container registry
-const gcrURL = "gcr.io"
+const gcrURLDomain = "gcr.io"
+const gcrURLSuffix = ".gcr.io"
 
 // Google artifact registry
-const garURL = "docker.pkg.dev"
+const garURLSuffix = "-docker.pkg.dev"
 
 func (g *Registry) CheckOptions(domain string, option types.RegistryOptions) error {
-	if !strings.HasSuffix(domain, gcrURL) && !strings.HasSuffix(domain, garURL) {
+	if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) {
 		return xerrors.Errorf("Google registry: %w", types.InvalidURLPattern)
 	}
 	g.domain = domain

diff --git a/pkg/fanal/image/registry/google/google_test.go b/pkg/fanal/image/registry/google/google_test.go
@@ -21,6 +21,10 @@ func TestCheckOptions(t *testing.T) {
 			domain:  "alpine:3.9",
 			wantErr: types.InvalidURLPattern,
 		},
+		"InvalidDomain": {
+			domain:  "not-gcr.io",
+			wantErr: types.InvalidURLPattern,
+		},
 		"NoOption": {
 			domain: "gcr.io",
 			gcr:    &Registry{domain: "gcr.io"},