Add a new type to use for building filter predicates for API requests,
replacing "./api/types/filters".Args in the client. Remove the now
unused api/types/filters package.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Most of the code in the filters package relates to the unmarshaling,
validation and application of filters from client requests. None of this
is necessary or particularly useful for Go SDK users. Move the full-fat
filters package into daemon/internal and switch all the daemon code to
import that package so we are free to iterate upon the code without
worrying about source-code interface compatibility.
Signed-off-by: Cory Snider <csnider@mirantis.com>
full diff: https://github.com/golang/net/compare/v0.44.0...v0.45.0
From the security announcement:
[security] Vulnerabilities in golang.org/x/net
Hello gophers,
We have tagged version v0.45.0 of golang.org/x/net in order to address two
security issues.
This version fixes two vulnerabilities in the golang.org/x/net/html package
which could result in calls to Parse (and associated functions) executing
unexpectedly slowly relative to the size of the input or never returning when
encountering specific inputs.
These vulnerabilities affect programs which parse untrusted HTML documents.
- The parser implements the HTML specification, which contains a number of
algorithms which are quadratic in complexity by design. This causes the
processing time to scale non-linearly with respect to the size of the input for
some HTML documents. We have imposed a depth limit of 512 for nested HTML tags,
which should be high enough for the vast majority of valid HTML documents, to
address this.
Thanks to Jakub Guido Vranken and Jakub Ciolek for both independently reporting
this issue.
This is CVE-2025-47911 and Go issue https://go.dev/issue/75682.
- The parser also misimplemented a portion of the HTML specification for table
related tags. This could cause the parser to enter an infinite loop when
encountering specific combinations of tags.
Thanks to Guido Vranken for reporting this issue.
This is CVE-2025-58190 and Go issue https://go.dev/issue/70179.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This minor release includes 10 security fixes following the security policy:
- net/mail: excessive CPU consumption in ParseAddress
The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.
- crypto/x509: quadratic complexity when checking name constraints
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scales non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58187 and Go issue https://go.dev/issue/75681.
- crypto/tls: ALPN negotiation errors can contain arbitrary text
The crypto/tls conn.Handshake method returns an error on the server-side when
ALPN negotation fails which can contain arbitrary attacker controlled
information provided by the client-side of the connection which is not escaped.
This affects programs which log these errors without any additional form of
sanitization, and may allow injection of attacker controlled information into
logs.
Thanks to National Cyber Security Centre Finland for reporting this issue.
This is CVE-2025-58189 and Go issue https://go.dev/issue/75652.
- encoding/pem: quadratic complexity when parsing some invalid inputs
Due to the design of the PEM parsing function, the processing time for some
inputs scales non-linearly with respect to the size of the input.
This affects programs which parse untrusted PEM inputs.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61723 and Go issue https://go.dev/issue/75676.
- net/url: insufficient validation of bracketed IPv6 hostnames
The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue.
This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.
- encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.
- net/http: lack of limit when parsing cookies can cause memory exhaustion
Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.
- crypto/x509: panic when validating certificates with DSA public keys
Validating certificate chains which contain DSA public keys can cause programs
to panic, due to a interface cast that assumes they implement the Equal method.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58188 and Go issue https://go.dev/issue/75675.
- archive/tar: unbounded allocation when parsing GNU sparse map
tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.
Thanks to Harshit Gupta (Mr HAX) - https://www.linkedin.com/in/iam-harshit-gupta/ for reporting this issue.
This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.
- net/textproto: excessive CPU consumption in Reader.ReadResponse
The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a response is large,
this could cause excessive CPU consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This field was deprecated API v1.48 in [moby@ff191c5], and removed in
API v1.49 in [moby@564abf9].
This patch:
- Removes the field from the API Go types.
- Reimplements the `/info` endpoint with the `compat` package to replace
the local `infoResponse` implementation.
- Removes the `ServiceConfig.ExtraFields` field in api/types/registry
introduced in [moby@7d9c50d] to backfill the `AllowNondistributableArtifactsCIDRs`
and `AllowNondistributableArtifactsHostnames` fields for API < v1.47.
We should also consider deprecating the `ContainerdCommit`, `RuncCommit`
and `InitCommit` fields on the `/info` response (as we also include this
information as part of the components returned in `/version`), but those
can still be useful currently for situations where a user only provides
`docker info` output.
[moby@ff191c5]: ff191c58f7
[moby@564abf9]: 564abf9157
[moby@7d9c50d]: 7d9c50db2b
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The default gc policy calculations based on percentage were calculated
improperly. These were calculated correctly in buildkit, but the
calculation method was not copied over correctly when updating the
values.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
The InspectResponse type contains various fields that are deprecated
and removed from current API versions, but that were kept for the API
server to produce the fields when downgrading to older API versions.
- The `Parent` field is only used for the legacy builder, and only set for
images that are built locally (i.e., not persisted when pulling an image).
- The `DockerVersion` field is only set when building images with the legacy
builder, and empty in most cases.
Both fields were implicitly deprecated with the deprecation of the legacy
builder, and deprecated for the API in [moby@bd8a99b], which was backported
to the 28.x release.
This patch:
- Removes the deprecated fields from the `InspectResposne` struct; this
means that [`client.ImageInspect`] won't unmarshal those fields, but
the [`docker image inspect`] CLI command defaults to printing the raw
output as returned by the API, so can continue to show any field returned
in the API response. As a side-note; we should change the CLI to default
to show the unmarshalled response, and introduce a `--format=jsonraw`
(or `--raw`) option to make printing the raw response opt-in.
- Updates the API server to backfill the fields if they are set.
[moby@bd8a99b]: bd8a99b400
[`client.ImageInspect`]: f739c61c69/client/image_inspect.go (L14-L64)
[`docker image inspect`]: 74e3520724/cli/command/image/inspect.go (L59-L81)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The InspectResponse type contains various fields that are deprecated
and removed from current API versions, but that were kept for the API
server to produce the fields when downgrading to older API versions.
This patch:
- Introduces a `imagebackend.InspectData` type for the daemon to use for
returning the data needed to propagate the API response. It currently
embeds the API response type and combines it with the legacy fields,
but this could be changed to return the internal Image type, and
mapping the fields to the API response type in the router.
- Removes the deprecated fields from the `InspectResposne` struct; this
means that [`client.ImageInspect`] won't unmarshal those fields, but
the [`docker image inspect`] CLI command defaults to printing the raw
output as returned by the API, so can continue to show any field returned
in the API response. As a side-note; we should change the CLI to default
to show the unmarshalled response, and introduce a `--format=jsonraw`
(or `--raw`) option to make printing the raw response opt-in.
This patch removes the following fields from the `InspectResponse` type;
- `VirtualSize`: this field became obsolete with the migration to content-
addressable images in docker v1.10 ([moby@4352da7]), but was still returned
with a copy of the `Size` field. It was deprecated in API v1.43 ([moby@1261fe6]),
and removed in API v1.44 ([moby@913b0f5]).
- `Container` and `ContainerConfig`: both fields were deprecated in
API v1.44 ([moby@1602e2f]), and removed in API v1.45 ([moby@03cddc6]).
remove deprecated Container, ContainerConfig, VirtualSize
[moby@4352da7]: 4352da7803
[moby@1261fe6]: 1261fe69a3
[moby@913b0f5]: 913b0f51ca
[moby@1602e2f]: 1602e2f4f1
[moby@03cddc6]: 03cddc62f4
[`client.ImageInspect`]: f739c61c69/client/image_inspect.go (L14-L64)
[`docker image inspect`]: 74e3520724/cli/command/image/inspect.go (L59-L81)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The DockerVersion field was present for informational purposes, but was
not used anywhere. This patch stops propagating the field, which also
reduces the number of places where the `dockerversion` package is used,
which still needs a new home.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The DockerVersion field was used by the legacy builder, and set when
importing an image; when importing an image, this would potentially
result in less reproducible images, as the docker version used to import
the image would be encoded in the image's "v1" fields.
For the legacy builder, including the version of docker used to build
the image could still be useful information (but could be set as comment,
similar to what BuildKit does), however, many code paths were also shared
with other parts of the code; e.g., when listing images or inspecting images,
the `DockerVersion` field would always be set to the current version of
the docker daemon, and not taken from the information available in the
image (if any).
This patch removes locations where the `DockerVersion` field was set to
the current version of the daemon binary. When inspecting an image, the
field is still set with the information in the image itself (which may
be empty in most cases).
This also reduces the number of places where the `dockerversion` package
is used, which still needs a new home.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change reworks the Go mod tidy/vendor checks to run for all tracked Go modules by the project and fail for any uncommitted changes.
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
This was a mistake I made in eafca64a6b,
which was extracted from a set of changes that I had in progress, but
I forgot that patch was unfinished (whoops!); before that commit, the
legacy "Config" fields were handled through the `inspectCompatResponse`,
which applied the legacy fields to the `Config` struct within the image
inspect response.
When changing the implementation to use the `compat` package, those
fields were applied at the top-level of the response, instead of the
`Config`; additional changes were needed for the `compat` package to
support pathing nested structs, and to prevent "extra" fields from
overwriting fields that already existed in the response; these changes
were implemented in e204ba1dca.
This patch:
- Removes the old `inspectCompatResponse` implementation, which was
no longer used.
- Updates the router to patch the `Config` fields, using the fixes
and enhancements that were implemented in e204ba1dca.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This package was aliased as "imagespec" in some places, and "dockerspec"
in other places, which made it easy to confuse.
Change all uses of this package to be aliased as "dockerspec" and configure
an "importas" linting check to enforce it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image inspect response has various fields that were deprecated as
part of the legacy builder, or Dockerfile syntax;
- The `Parent` field is only used for the legacy builder, and only set for
images that are built locally (i.e., not persisted when pulling an image).
- The `DockerVersion` field is only set when building images with the legacy
builder, and empty in most cases.
This patch deprecates the fields in the `InspectResponse` go struct, as
these fields will no longer be set in future once the legacy builder is
removed (`Parent`, `DockerVersion`). The legacy builder's deprecation in
[cli@4d8e457] / [cli@fd22746] (docker 23.0, API v1.42), however the related
API fields were kept so that information of legacy images would not be
discarded.
The API continues to return these fields if set, allowing the client to
print the fields for informational purposes when printing the raw response,
but these fields should be considered "transitional", and not be depended
on; deprecating the fields helps raise awareness.
[cli@4d8e457]: 4d8e45782b
[cli@fd22746]: fd2274692f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Minor issues to make my IDE happy:
- rename var that shadowed import
- rename vars to use the correct camelCase format
- fix minor grammar / formatting in comments
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was a bit of an oversight; when setting additional fields to add,
the compat package currently replaces fields unconditionally. This may
have sounded like an OK idea, but it makes it more complicated to augment
responses where current versions use an "omitempty", but older API versions
should return default / zero-values.
This patch:
- Changes the meaning of "extra fields"; extra fields are only used if
the field is not present in the response.
- Makes the merging of "extra fields" recursive; this makes it easier
to patch responses where extra fields must be added to nested structs.
Previously, this would require the nested struct to be wrapped with a
`compat.Wrap` and replaced as a whole; lacking a "replace" option made
that more complicated, so making the extra fields recursive.
- Comment-out a test that tested the old behavior of replacing fields;
we currently have no cases where we must _replace_ fields or structs,
so I did not yet implement such an option, but we can implement a
`WithReplaceFields` (e.g.) once there's a need.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
