Fix secret image filter regex (woodpecker-ci#2674)

6543-forks · Oct 31, 2023 · a39b66e · a39b66e
1 parent 4d1ddab
commit a39b66e
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 9 deletions.
diff --git a/server/model/secret.go b/server/model/secret.go
@@ -115,10 +115,14 @@ func (s *Secret) Match(event WebhookEvent) bool {
 }
 
 var validDockerImageString = regexp.MustCompile(
-	`^([\w\d\-_\.\/]*` + // optional url prefix
-		`[\w\d\-_]+` + // image name
-		`)+` +
-		`(:[\w\d\-_]+)?$`, // optional image tag
+	`^(` +
+		`[\w\d\-_\.]+` + // hostname
+		`(:\d+)?` + // optional port
+		`/)?` + // optional hostname + port
+		`([\w\d\-_\.][\w\d\-_\.\/]*/)?` + // optional url prefix
+		`([\w\d\-_]+)` + // image name
+		`(:[\w\d\-_]+)?` + // optional image tag
+		`$`,
 )
 
 // Validate validates the required fields and formats.

diff --git a/server/model/secret_test.go b/server/model/secret_test.go
@@ -40,7 +40,7 @@ func TestSecret(t *testing.T) {
 				Name:   "secretname",
 				Value:  "secretvalue",
 				Events: []WebhookEvent{EventPush},
-				Images: []string{"docker.io/library/mysql:latest", "alpine"},
+				Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 			}
 			err := secret.Validate()
 			g.Assert(err).IsNil()
@@ -50,7 +50,7 @@ func TestSecret(t *testing.T) {
 				secret := Secret{
 					Value:  "secretvalue",
 					Events: []WebhookEvent{EventPush},
-					Images: []string{"docker.io/library/mysql:latest", "alpine"},
+					Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 				}
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
@@ -59,7 +59,7 @@ func TestSecret(t *testing.T) {
 				secret := Secret{
 					Name:   "secretname",
 					Events: []WebhookEvent{EventPush},
-					Images: []string{"docker.io/library/mysql:latest", "alpine"},
+					Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 				}
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
@@ -68,12 +68,12 @@ func TestSecret(t *testing.T) {
 				secret := Secret{
 					Name:   "secretname",
 					Value:  "secretvalue",
-					Images: []string{"docker.io/library/mysql-alpine:latest", "alpine"},
+					Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 				}
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
 			})
-			g.It("wrong image no value", func() {
+			g.It("wrong image: no value", func() {
 				secret := Secret{
 					Name:   "secretname",
 					Value:  "secretvalue",
@@ -83,6 +83,36 @@ func TestSecret(t *testing.T) {
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
 			})
+			g.It("wrong image: no hostname", func() {
+				secret := Secret{
+					Name:   "secretname",
+					Value:  "secretvalue",
+					Events: []WebhookEvent{EventPush},
+					Images: []string{"/library/mysql:latest", ":8443/mysql:latest", ":8443/library/mysql:latest", "/library/mysql", ":8443/mysql", ":8443/library/mysql"},
+				}
+				err := secret.Validate()
+				g.Assert(err).IsNotNil()
+			})
+			g.It("wrong image: no port number", func() {
+				secret := Secret{
+					Name:   "secretname",
+					Value:  "secretvalue",
+					Events: []WebhookEvent{EventPush},
+					Images: []string{"localregistry.test:/mysql:latest", "localregistry.test:/mysql"},
+				}
+				err := secret.Validate()
+				g.Assert(err).IsNotNil()
+			})
+			g.It("wrong image: no tag name", func() {
+				secret := Secret{
+					Name:   "secretname",
+					Value:  "secretvalue",
+					Events: []WebhookEvent{EventPush},
+					Images: []string{"docker.io/library/mysql:", "alpine:", "localregistry.test:8443/mysql:", "localregistry.test:8443/library/mysql:"},
+				}
+				err := secret.Validate()
+				g.Assert(err).IsNotNil()
+			})
 		})
 	})
 }