SECURITY: tags are used without sanitization
As a user, I can do:
pulp-admin docker repo tag --repo-id test-docker --tag-name
which will result in the repo publishing the image as /var/lib/pulp/published/docker/v2/web/test-docker/manifests/just:kidding
(instead of under /var/lib/pulp/published/docker/v2/web/test-docker/manifests/2/)
It doesn't look like you can escape the repository directory structure with a cleverly crafted tag, but you can most certainly put a v2 image in the v1 namespace.
I think tags should follow a directory structure normalization, and any ../ should be stripped out.
Updated by bmbouter over 3 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.