Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-8663

Block /v2/_catalog when catalog.enabled=false

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • registry-proxy
    • False
    • Hide

      None

      Show
      None
    • False

      Davide F Bragalone: Hi folks, I work in InfoSec team. A user got to us with some concerns related to brew.registry.redhat.io access. Not sure if this is the right channel, eventually is someone here with whom I can clarify some concerns?

      hseljene: What are the concerns?

      Davide F Bragalone: The reporter is concerned about the possibility to list brew's images once logged in registry.io (given anyone could get a Developer Subscription and access):
      a list of all visible images can be retrieved using:
      curl -X GET https://<registryuser>:<registrypass>@brew.registry.redhat.iov2/_catalog

      When running the above curl command, it will not retrieve any Ansible Automation Platform image (but dozens of other images), which leads me to believe that there are hidden images.
      He is worried that such images might contain secrets. So he opted to report it. (edited)
      9:09
      My thought would be:
      I assume that if a user has a developer account, it can access those images
      Red Hat (not only) images should not contain secrets anyway (those are getting already scanned for vuln_mgmt purposes I assume)
      But I preferred to check with you

              Unassigned Unassigned
              rhn-it-hseljene Henning Seljenes
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: