Catalog- and manifest-supplied image refs reached pull_image without ever passing the RPC boundary's validator — a malicious catalog entry or manifest could pull from an arbitrary registry. The allowlist now lives in container::image_policy (the RPC check delegates to it) and both orchestrator pull sites (install_fresh and ensure_resolved_source_available) refuse refs that fail it. The shared policy accepts trusted-registry refs and registry-less Docker Hub shorthand (grafana/grafana etc., used by 8 shipped manifests — a registry-less ref cannot name an attacker host), and rejects explicit non-allowlisted hosts, shell metacharacters, and malformed refs. §A of the 1.8.0 hardening plan. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
25 lines
657 B
Rust
25 lines
657 B
Rust
pub mod app_catalog;
|
|
pub mod bitcoin_ui;
|
|
pub mod boot_reconciler;
|
|
pub mod companion;
|
|
pub mod data_manager;
|
|
pub mod dev_orchestrator;
|
|
pub mod docker_packages;
|
|
pub mod filebrowser;
|
|
pub mod hooks;
|
|
pub mod image_policy;
|
|
pub mod image_versions;
|
|
pub mod lnd;
|
|
pub mod prod_orchestrator;
|
|
pub mod quadlet;
|
|
pub mod registry;
|
|
pub mod secrets;
|
|
pub mod traits;
|
|
pub mod version_config;
|
|
|
|
pub use boot_reconciler::{BootReconciler, DEFAULT_INTERVAL as RECONCILER_DEFAULT_INTERVAL};
|
|
pub use dev_orchestrator::DevContainerOrchestrator;
|
|
pub use docker_packages::DockerPackageScanner;
|
|
pub use prod_orchestrator::ProdContainerOrchestrator;
|
|
pub use traits::ContainerOrchestrator;
|