GitLab Container Registry repository names regex is not at parity with docker/registry
Summary
Our container_repository_name_regex
(https://gitlab.com/gitlab-org/gitlab/blob/1ce0e5a7bc241e4c5ea381b271cf789bfa4203ba/lib/gitlab/regex.rb#L22) is rejecting valid image repository names/paths, including those with a --
.
Compare against: https://github.com/docker/distribution/blob/master/reference/regexp.go#L6-L20
We addressed this some time ago with:
But we never came back to solve the root problem in the backend.
Reported (Zendesk, internal use only) by a 1,600-seat ultimate customer.
Steps to reproduce
- Have a GitLab project with name or namespace containing
--
. - Build an image tagged to that repository name/path
- Try to push
Example Project
(If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report)
(If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version)
What is the current bug behavior?
Pushing with
What is the expected correct behavior?
(What you should see instead)
Relevant logs and/or screenshots
Docker push:
➜ docker image push localhost:5000/root/test--web--app:latest
The push refers to repository [localhost:5000/root/test--web--app]
19409db8f25a: Preparing
bba7d2385bc1: Preparing
77cae8ab23bf: Preparing
denied: requested access to the resource is denied
Relevant log:
{"method":"GET","path":"/jwt/auth","format":"html","controller":"JwtController","action":"auth","status":200,"duration":107.36,"view":0.16,"db":28.11,"time":"2019-11-18T08:32:55.238Z","params":[{"key":"account","value":"root"},{"key":"scope","value":"repository:root/test--web--app:push,pull"},{"key":"service","value":"container_registry"}],"remote_ip":"172.21.0.1","user_id":null,"username":null,"ua":"docker/19.03.4 go/go1.12.10 git-commit/9013bf5 kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.4 \\(darwin\\))","queue_duration":5.42,"correlation_id":"mRCL4Tv4Y46","cpu_s":0.08272264299999987}
Both CLI output and logs are misleading as requested access to resource is not really denied, it's that our regex incorrectly rejects the valid container path.
Output of checks
This happens on v12.4.2-ee. It should also happen on GitLab.com.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)