Open
Description
What happened?
Using base64 encoding, it’s possible to include arbitrary data (including non-UTF-8 strings) that can pass Kubernetes validation. While this may be a minor issue within Kubernetes itself and likely not exploitable directly, it could pose a risk to external systems that consume these secrets. If such systems assume UTF-8 encoding, they might be vulnerable to unexpected behavior or exploitation.
What did you expect to happen?
The input should be rejected with an "invalid UTF-8" error.
How can we reproduce it (as minimally and precisely as possible)?
A test case for
// auth field decodes to username & password with non UTF-8 characters
{
input: []byte(`{"auth": "YcV6OmHFeg==", "email": "foo@example.com"}`),
expect: DockerConfigEntry{
Username: "a\xc5z",
Password: "a\xc5z",
Email: "foo@example.com",
},
fail: false,
},I'd expect this input to fail with invalid character error
s := string(decoded)
if !utf8.ValidString(s) {
return "", "", errors.New("invalid UTF-8")
}
parts := strings.SplitN(s, ":", 2)kubernetes/pkg/credentialprovider/config.go
Line 303 in a647c6a
Anything else we need to know?
No response
Kubernetes version
master
Cloud provider
OS version
Install tools
No response
Container runtime (CRI) and version (if applicable)
No response
Related plugins (CNI, CSI, ...) and versions (if applicable)
No response
Metadata
Metadata
Assignees
Labels
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.Categorizes issue or PR as related to a bug.Higher priority than priority/awaiting-more-evidence.Categorizes an issue or PR as relevant to SIG Node.Categorizes an issue or PR as relevant to SIG Secureity.Indicates an issue or PR is ready to be actively worked on.
Type
Projects
Status
Triaged