cli/command/registry: preserve all whitespace in secrets

thaJeztah · thaJeztah · commit 12275568caf4 · 2026-02-12T14:06:22.000+01:00
Preserve all whitespace and treat the secret as an opaque value, leaving it to the registry to (in)validate. We still check for empty values in some places. This partially reverts a21a5f4, but checks for empty (whitespace-only) passwords without mutating the value. This better aligns with [NIST SP 800-63B §5.1.1.2], which describes that the value should be treated as opaque, preserving any other whitespace, including newlines. Note that trimming whitespace may still happen elsewhere (see [NIST SP 800-63B (revision 4) §3.1.1.2]); > Verifiers **MAY** make limited allowances for mistyping (e.g., removing > leading and trailing whitespace characters before verification, allowing > the verification of passwords with differing cases for the leading character) [NIST SP 800-63B §5.1.1.2]: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver [NIST SP 800-63B (revision 4) §3.1.1.2]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/cli/command/registry.go b/cli/command/registry.go
@@ -144,8 +144,8 @@ func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword
 		}
 	}
 
-	argPassword = strings.TrimSpace(argPassword)
-	if argPassword == "" {
+	isEmpty := strings.TrimSpace(argPassword) == ""
+	if isEmpty {
 		restoreInput, err := prompt.DisableInputEcho(cli.In())
 		if err != nil {
 			return registrytypes.AuthConfig{}, err
diff --git a/cli/command/registry/login_test.go b/cli/command/registry/login_test.go
@@ -306,6 +306,56 @@ func TestRunLogin(t *testing.T) {
 				},
 			},
 		},
+		{
+			doc:              "password with leading and trailing spaces",
+			priorCredentials: map[string]configtypes.AuthConfig{},
+			input: loginOptions{
+				serverAddress: "reg1",
+				user:          "my-username",
+				password:      "  my password with spaces  ",
+			},
+			expectedCredentials: map[string]configtypes.AuthConfig{
+				"reg1": {
+					Username:      "my-username",
+					Password:      "  my password with spaces  ",
+					ServerAddress: "reg1",
+				},
+			},
+		},
+		{
+			doc:              "password stdin with line-endings",
+			priorCredentials: map[string]configtypes.AuthConfig{},
+			stdIn:            "  my password with spaces  \r\n",
+			input: loginOptions{
+				serverAddress: "reg1",
+				user:          "my-username",
+				passwordStdin: true,
+			},
+			expectedCredentials: map[string]configtypes.AuthConfig{
+				"reg1": {
+					Username:      "my-username",
+					Password:      "  my password with spaces  ",
+					ServerAddress: "reg1",
+				},
+			},
+		},
+		{
+			doc:              "password stdin with multiple line-endings",
+			priorCredentials: map[string]configtypes.AuthConfig{},
+			stdIn:            "  my password\nwith spaces  \r\n\r\n",
+			input: loginOptions{
+				serverAddress: "reg1",
+				user:          "my-username",
+				passwordStdin: true,
+			},
+			expectedCredentials: map[string]configtypes.AuthConfig{
+				"reg1": {
+					Username:      "my-username",
+					Password:      "  my password\nwith spaces  \r\n",
+					ServerAddress: "reg1",
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {

Original file line number	Diff line number	Diff line change
`@@ -144,8 +144,8 @@ func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`
`147`		`- argPassword = strings.TrimSpace(argPassword)`
`148`		`- if argPassword == "" {`
	`147`	`+ isEmpty := strings.TrimSpace(argPassword) == ""`
	`148`	`+ if isEmpty {`
`149`	`149`	`restoreInput, err := prompt.DisableInputEcho(cli.In())`
`150`	`150`	`if err != nil {`
`151`	`151`	`return registrytypes.AuthConfig{}, err`