From a39b66e08a3a6d7769d41258e4cea7ee923899ef Mon Sep 17 00:00:00 2001
From: Jannik Heuer <HamburgerJungeJr@users.noreply.github.com>
Date: Tue, 31 Oct 2023 13:15:13 +0100
Subject: [PATCH] Fix secret image filter regex (#2674)

---
 server/model/secret.go      | 12 +++++++----
 server/model/secret_test.go | 40 ++++++++++++++++++++++++++++++++-----
 2 files changed, 43 insertions(+), 9 deletions(-)

diff --git a/server/model/secret.go b/server/model/secret.go
index 71f3311351..fd5ead24fc 100644
--- a/server/model/secret.go
+++ b/server/model/secret.go
@@ -115,10 +115,14 @@ func (s *Secret) Match(event WebhookEvent) bool {
 }
 
 var validDockerImageString = regexp.MustCompile(
-	`^([\w\d\-_\.\/]*` + // optional url prefix
-		`[\w\d\-_]+` + // image name
-		`)+` +
-		`(:[\w\d\-_]+)?$`, // optional image tag
+	`^(` +
+		`[\w\d\-_\.]+` + // hostname
+		`(:\d+)?` + // optional port
+		`/)?` + // optional hostname + port
+		`([\w\d\-_\.][\w\d\-_\.\/]*/)?` + // optional url prefix
+		`([\w\d\-_]+)` + // image name
+		`(:[\w\d\-_]+)?` + // optional image tag
+		`$`,
 )
 
 // Validate validates the required fields and formats.
diff --git a/server/model/secret_test.go b/server/model/secret_test.go
index 9b72a36ff5..b226b669c9 100644
--- a/server/model/secret_test.go
+++ b/server/model/secret_test.go
@@ -40,7 +40,7 @@ func TestSecret(t *testing.T) {
 				Name:   "secretname",
 				Value:  "secretvalue",
 				Events: []WebhookEvent{EventPush},
-				Images: []string{"docker.io/library/mysql:latest", "alpine"},
+				Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 			}
 			err := secret.Validate()
 			g.Assert(err).IsNil()
@@ -50,7 +50,7 @@ func TestSecret(t *testing.T) {
 				secret := Secret{
 					Value:  "secretvalue",
 					Events: []WebhookEvent{EventPush},
-					Images: []string{"docker.io/library/mysql:latest", "alpine"},
+					Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 				}
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
@@ -59,7 +59,7 @@ func TestSecret(t *testing.T) {
 				secret := Secret{
 					Name:   "secretname",
 					Events: []WebhookEvent{EventPush},
-					Images: []string{"docker.io/library/mysql:latest", "alpine"},
+					Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 				}
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
@@ -68,12 +68,12 @@ func TestSecret(t *testing.T) {
 				secret := Secret{
 					Name:   "secretname",
 					Value:  "secretvalue",
-					Images: []string{"docker.io/library/mysql-alpine:latest", "alpine"},
+					Images: []string{"docker.io/library/mysql:latest", "alpine:latest", "localregistry.test:8443/mysql:latest", "localregistry.test:8443/library/mysql:latest", "docker.io/library/mysql", "alpine", "localregistry.test:8443/mysql", "localregistry.test:8443/library/mysql"},
 				}
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
 			})
-			g.It("wrong image no value", func() {
+			g.It("wrong image: no value", func() {
 				secret := Secret{
 					Name:   "secretname",
 					Value:  "secretvalue",
@@ -83,6 +83,36 @@ func TestSecret(t *testing.T) {
 				err := secret.Validate()
 				g.Assert(err).IsNotNil()
 			})
+			g.It("wrong image: no hostname", func() {
+				secret := Secret{
+					Name:   "secretname",
+					Value:  "secretvalue",
+					Events: []WebhookEvent{EventPush},
+					Images: []string{"/library/mysql:latest", ":8443/mysql:latest", ":8443/library/mysql:latest", "/library/mysql", ":8443/mysql", ":8443/library/mysql"},
+				}
+				err := secret.Validate()
+				g.Assert(err).IsNotNil()
+			})
+			g.It("wrong image: no port number", func() {
+				secret := Secret{
+					Name:   "secretname",
+					Value:  "secretvalue",
+					Events: []WebhookEvent{EventPush},
+					Images: []string{"localregistry.test:/mysql:latest", "localregistry.test:/mysql"},
+				}
+				err := secret.Validate()
+				g.Assert(err).IsNotNil()
+			})
+			g.It("wrong image: no tag name", func() {
+				secret := Secret{
+					Name:   "secretname",
+					Value:  "secretvalue",
+					Events: []WebhookEvent{EventPush},
+					Images: []string{"docker.io/library/mysql:", "alpine:", "localregistry.test:8443/mysql:", "localregistry.test:8443/library/mysql:"},
+				}
+				err := secret.Validate()
+				g.Assert(err).IsNotNil()
+			})
 		})
 	})
 }