bump github.com/moby/buildkit to v0.13.0 (#351)

* bump github.com/moby/buildkit to v0.13.0 Signed-off-by: Nianyu Shen <nianyu@spectrocloud.com> * fix: update dep usage based on newer version Signed-off-by: Nianyu Shen <nianyu@spectrocloud.com> * remove empty line Signed-off-by: Nianyu Shen <nianyu@spectrocloud.com> * ci: bump golang to 1.21.x * Bump moby * debug --------- Signed-off-by: Nianyu Shen <nianyu@spectrocloud.com> Co-authored-by: Nianyu Shen <nianyu@spectrocloud.com>
2025-09-26 15:15:31 +00:00 · 2024-03-15 09:26:32 +01:00
parent c47bf4833a
commit 4c788ccbd1
1779 changed files with 127547 additions and 71408 deletions
--- a/vendor/github.com/google/go-containerregistry/internal/redact/redact.go
+++ b/vendor/github.com/google/go-containerregistry/internal/redact/redact.go
@@ -17,6 +17,8 @@ package redact

 import (
 	"context"
+	"errors"
+	"net/url"
 )

 type contextKey string
@@ -33,3 +35,55 @@ func FromContext(ctx context.Context) (bool, string) {
 	reason, ok := ctx.Value(redactKey).(string)
 	return ok, reason
 }
+
+// Error redacts potentially sensitive query parameter values in the URL from the error's message.
+//
+// If the error is a *url.Error, this returns a *url.Error with the URL redacted.
+// Any other error type, or nil, is returned unchanged.
+func Error(err error) error {
+	// If the error is a url.Error, we can redact the URL.
+	// Otherwise (including if err is nil), we can't redact.
+	var uerr *url.Error
+	if ok := errors.As(err, &uerr); !ok {
+		return err
+	}
+	u, perr := url.Parse(uerr.URL)
+	if perr != nil {
+		return err // If the URL can't be parsed, just return the original error.
+	}
+	uerr.URL = URL(u).String() // Update the URL to the redacted URL.
+	return uerr
+}
+
+// The set of query string keys that we expect to send as part of the registry
+// protocol. Anything else is potentially dangerous to leak, as it's probably
+// from a redirect. These redirects often included tokens or signed URLs.
+var paramAllowlist = map[string]struct{}{
+	// Token exchange
+	"scope":   {},
+	"service": {},
+	// Cross-repo mounting
+	"mount": {},
+	"from":  {},
+	// Layer PUT
+	"digest": {},
+	// Listing tags and catalog
+	"n":    {},
+	"last": {},
+}
+
+// URL redacts potentially sensitive query parameter values from the URL's query string.
+func URL(u *url.URL) *url.URL {
+	qs := u.Query()
+	for k, v := range qs {
+		for i := range v {
+			if _, ok := paramAllowlist[k]; !ok {
+				// key is not in the Allowlist
+				v[i] = "REDACTED"
+			}
+		}
+	}
+	r := *u
+	r.RawQuery = qs.Encode()
+	return &r
+}