From f5bc86ef79e54ecf8dba5c4578c46f17292e50f9 Mon Sep 17 00:00:00 2001 From: user123 Date: Mon, 2 Feb 2026 09:53:45 +0800 Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E9=BD=90=E8=AE=BF=E9=97=AE=E6=8E=A7?= =?UTF-8?q?=E5=88=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/handlers/imagetar.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/handlers/imagetar.go b/src/handlers/imagetar.go index f263965..bcb841e 100644 --- a/src/handlers/imagetar.go +++ b/src/handlers/imagetar.go @@ -717,6 +717,10 @@ func handleDirectImageDownload(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "镜像引用格式错误: " + err.Error()}) return } + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } if c.Query("mode") == "prepare" { userID := getUserID(c) @@ -765,6 +769,10 @@ func handleDirectImageDownload(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "下载令牌与镜像不匹配"}) return } + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(req.Image); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } options := &StreamOptions{ Platform: req.Platform, @@ -844,12 +852,24 @@ func handleSimpleBatchDownload(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "镜像列表不能为空"}) return } + for _, imageRef := range req.Images { + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } + } for i, imageRef := range req.Images { if !strings.Contains(imageRef, ":") && !strings.Contains(imageRef, "@") { req.Images[i] = imageRef + ":latest" } } + for _, imageRef := range req.Images { + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } + } cfg := config.GetConfig() if len(req.Images) > cfg.Download.MaxImages { @@ -910,6 +930,10 @@ func handleImageInfo(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "镜像引用格式错误: " + err.Error()}) return } + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } ctx := c.Request.Context() contextOptions := append(globalImageStreamer.remoteOptions, remote.WithContext(ctx))