From cea446a57ee85ac82a7f4c87d69f1b6036f2f59c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Mon, 26 Feb 2024 19:46:12 +0100 Subject: [PATCH] Return early in getExternalBlob MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Simplify the possible states when we exit the loop Signed-off-by: Miloslav Trmač --- docker/docker_client.go | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/docker/docker_client.go b/docker/docker_client.go index 380f79d522..cf30713bb0 100644 --- a/docker/docker_client.go +++ b/docker/docker_client.go @@ -978,10 +978,7 @@ func (c *dockerClient) fetchManifest(ctx context.Context, ref dockerReference, t // This function can return nil reader when no url is supported by this function. In this case, the caller // should fallback to fetch the non-external blob (i.e. pull from the registry). func (c *dockerClient) getExternalBlob(ctx context.Context, urls []string) (io.ReadCloser, int64, error) { - var ( - resp *http.Response - remoteErrors error - ) + var remoteErrors error if len(urls) == 0 { return nil, 0, errors.New("internal error: getExternalBlob called with no URLs") } @@ -990,6 +987,7 @@ func (c *dockerClient) getExternalBlob(ctx context.Context, urls []string) (io.R if err != nil || (blobURL.Scheme != "http" && blobURL.Scheme != "https") { continue // unsupported url. skip this url. } + var resp *http.Response // NOTE: we must not authenticate on additional URLs as those // can be abused to leak credentials or tokens. Please // refer to CVE-2020-15157 for more information. @@ -1001,16 +999,13 @@ func (c *dockerClient) getExternalBlob(ctx context.Context, urls []string) (io.R resp.Body.Close() continue } - break + return resp.Body, getBlobSize(resp), nil } } - if resp == nil && remoteErrors == nil { + if remoteErrors == nil { return nil, 0, nil // fallback to non-external blob } - if remoteErrors != nil { - return nil, 0, remoteErrors - } - return resp.Body, getBlobSize(resp), nil + return nil, 0, remoteErrors } func getBlobSize(resp *http.Response) int64 {