@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/managers/docker.js

@@ -20,8 +20,12 @@ import {
   getAllFiles,
   getTmpDir,
   isDryRun,
+  readEnvironmentVariable,
   recordActivity,
+  recordDecisionActivity,
+  recordSensitiveFileRead,
   safeExistsSync,
+  safeExtractArchive,
   safeMkdirSync,
   safeMkdtempSync,
   safeRmSync,
@@ -32,6 +36,13 @@ import { getDirs, getOnlyDirs } from "./containerutils.js";
 
 export const isWin = _platform() === "win32";
 export const DOCKER_HUB_REGISTRY = "docker.io";
+// Docker commonly stores Hub credentials under index.docker.io or
+// registry-1.docker.io while pulls target docker.io.
+const DOCKER_HUB_REGISTRY_ALIASES = new Set([
+  DOCKER_HUB_REGISTRY,
+  "index.docker.io",
+  "registry-1.docker.io",
+]);
 
 /**
  * Encode a value as base64url (RFC 4648 §5) with padding.
@@ -42,6 +53,212 @@ export const DOCKER_HUB_REGISTRY = "docker.io";
 const toBase64Url = (value) =>
   Buffer.from(value).toString("base64").replace(/\+/g, "-").replace(/\//g, "_");
 
+const normalizeRegistryPath = (registryPath) => {
+  if (!registryPath || registryPath === "/") {
+    return "";
+  }
+  let normalizedPath = registryPath.trim();
+  if (!normalizedPath.startsWith("/")) {
+    normalizedPath = `/${normalizedPath}`;
+  }
+  while (normalizedPath.endsWith("/")) {
+    normalizedPath = normalizedPath.slice(0, -1);
+  }
+  const lowerCasePath = normalizedPath.toLowerCase();
+  if (lowerCasePath.endsWith("/v1") || lowerCasePath.endsWith("/v2")) {
+    normalizedPath = normalizedPath.slice(0, -3);
+  }
+  return normalizedPath === "/" ? "" : normalizedPath;
+};
+
+const buildRegistryAuthority = (hostname, port) => {
+  if (!hostname) {
+    return undefined;
+  }
+  hostname = hostname.toLowerCase();
+  if (hostname.includes(":") && !hostname.startsWith("[")) {
+    hostname = `[${hostname}]`;
+  }
+  if (port) {
+    return `${hostname}:${port}`;
+  }
+  return hostname;
+};
+
+const parseRawRegistryAuthority = (authority) => {
+  if (!authority?.trim()) {
+    return undefined;
+  }
+  authority = authority.trim();
+  if (authority.startsWith("[")) {
+    const closingBracketIndex = authority.indexOf("]");
+    if (closingBracketIndex === -1) {
+      return undefined;
+    }
+    const hostname = authority.slice(0, closingBracketIndex + 1);
+    const portSuffix = authority.slice(closingBracketIndex + 1);
+    if (!portSuffix) {
+      return buildRegistryAuthority(hostname);
+    }
+    if (!/^:\d+$/.test(portSuffix)) {
+      return undefined;
+    }
+    return buildRegistryAuthority(hostname, portSuffix.slice(1));
+  }
+  const colonIndex = authority.lastIndexOf(":");
+  if (colonIndex > -1 && authority.indexOf(":") === colonIndex) {
+    const portCandidate = authority.slice(colonIndex + 1);
+    if (/^\d+$/.test(portCandidate)) {
+      return buildRegistryAuthority(
+        authority.slice(0, colonIndex),
+        portCandidate,
+      );
+    }
+  }
+  return buildRegistryAuthority(authority);
+};
+
+const parseRegistryReference = (registry) => {
+  if (!registry?.trim()) {
+    return undefined;
+  }
+  registry = registry.trim();
+  if (registry.includes("://")) {
+    if (!URL.canParse(registry)) {
+      return undefined;
+    }
+    const registryUrl = new URL(registry);
+    const authoritySource = registry
+      .slice(registry.indexOf("://") + 3)
+      .split("/")[0];
+    return {
+      authority: parseRawRegistryAuthority(authoritySource),
+      path: normalizeRegistryPath(registryUrl.pathname),
+    };
+  }
+  const slashIndex = registry.indexOf("/");
+  const authority =
+    slashIndex === -1 ? registry : registry.slice(0, slashIndex);
+  const registryPath = slashIndex === -1 ? "" : registry.slice(slashIndex);
+  if (!authority) {
+    return undefined;
+  }
+  try {
+    // Raw registry references such as host:port are not absolute URLs, so we
+    // add an https scheme only to parse the authority and optional port.
+    return {
+      authority: parseRawRegistryAuthority(authority),
+      path: normalizeRegistryPath(registryPath),
+    };
+  } catch (_err) {
+    return undefined;
+  }
+};
+
+const looksLikeImageReference = (value) => {
+  if (typeof value !== "string" || !value.trim()) {
+    return false;
+  }
+  value = value.trim();
+  if (value.includes("://")) {
+    return false;
+  }
+  if (!value.includes("/")) {
+    if (value.includes(":")) {
+      const tagOrPortSuffix = value.slice(value.lastIndexOf(":") + 1);
+      if (!/^\d+$/.test(tagOrPortSuffix)) {
+        return true;
+      }
+      return !parseRegistryReference(value)?.authority;
+    }
+    return !(
+      value.includes(".") ||
+      value === "localhost" ||
+      value.startsWith("[")
+    );
+  }
+  const firstSegment = value.split("/")[0];
+  return !(
+    parseRegistryReference(firstSegment)?.authority &&
+    (firstSegment.includes(".") ||
+      firstSegment.includes(":") ||
+      firstSegment === "localhost" ||
+      firstSegment.startsWith("["))
+  );
+};
+
+const resolveRequestedRegistryRef = (forRegistry, requestedRegistryRef) => {
+  const fallbackRegistry =
+    forRegistry || process.env.DOCKER_SERVER_ADDRESS || DOCKER_HUB_REGISTRY;
+  if (
+    typeof requestedRegistryRef !== "string" ||
+    !requestedRegistryRef.trim()
+  ) {
+    return fallbackRegistry;
+  }
+  requestedRegistryRef = requestedRegistryRef.trim();
+  if (requestedRegistryRef.includes("://")) {
+    return requestedRegistryRef;
+  }
+  return looksLikeImageReference(requestedRegistryRef)
+    ? fallbackRegistry
+    : requestedRegistryRef;
+};
+
+const extractRequestedRegistryRefFromPath = (path, forRegistry) => {
+  if (!path?.includes("?")) {
+    return resolveRequestedRegistryRef(forRegistry, forRegistry);
+  }
+  const queryString = path.slice(path.indexOf("?") + 1);
+  const requestedImageRef = new URLSearchParams(queryString).get("fromImage");
+  return resolveRequestedRegistryRef(
+    forRegistry,
+    requestedImageRef || forRegistry,
+  );
+};
+
+const normalizeRegistryReference = (registry) => {
+  const parsedRegistry = parseRegistryReference(registry);
+  if (!parsedRegistry?.authority) {
+    return undefined;
+  }
+  return parsedRegistry.path
+    ? `${parsedRegistry.authority}${parsedRegistry.path}`
+    : parsedRegistry.authority;
+};
+
+const registriesMatch = (configuredRegistry, requestedRegistry) => {
+  if (!requestedRegistry) {
+    return false;
+  }
+  const normalizedConfiguredRegistry =
+    parseRegistryReference(configuredRegistry);
+  const normalizedRequestedRegistry = parseRegistryReference(requestedRegistry);
+  if (
+    !normalizedConfiguredRegistry?.authority ||
+    !normalizedRequestedRegistry?.authority
+  ) {
+    return false;
+  }
+  const hostMatches =
+    normalizedConfiguredRegistry.authority ===
+      normalizedRequestedRegistry.authority ||
+    (DOCKER_HUB_REGISTRY_ALIASES.has(normalizedConfiguredRegistry.authority) &&
+      DOCKER_HUB_REGISTRY_ALIASES.has(normalizedRequestedRegistry.authority));
+  if (!hostMatches) {
+    return false;
+  }
+  if (!normalizedConfiguredRegistry.path) {
+    return true;
+  }
+  return (
+    normalizedConfiguredRegistry.path === normalizedRequestedRegistry.path ||
+    normalizedRequestedRegistry.path.startsWith(
+      `${normalizedConfiguredRegistry.path}/`,
+    )
+  );
+};
+
 // Should we extract the tar image in non-strict mode
 const NON_STRICT_TAR_EXTRACT = ["true", "1"].includes(
   process?.env?.NON_STRICT_TAR_EXTRACT,
@@ -185,19 +402,52 @@ const REQUEST_TIMEOUT_SECS = 60000;
  *
  * @param {string} [forRegistry] Registry hostname (e.g. "registry-1.docker.io").
  *   Defaults to DOCKER_SERVER_ADDRESS env var or "docker.io".
+ * @param {string} [requestedRegistryRef] Requested registry/image reference used
+ *   to scope config.json auth matching. Unqualified images default to Docker Hub.
  * @returns {Object} Options object suitable for passing to `got`
  */
-const getDefaultOptions = (forRegistry) => {
+const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
   let authTokenSet = false;
-  if (!forRegistry) {
-    forRegistry = process.env.DOCKER_SERVER_ADDRESS ?? DOCKER_HUB_REGISTRY;
-  }
-  if (forRegistry) {
-    forRegistry = forRegistry.replace("http://", "").replace("https://", "");
-    if (forRegistry.includes("/")) {
-      forRegistry = forRegistry.split("/")[0];
+  const credentialSourceEvaluations = [];
+  let selectedCredentialSource;
+  const noteCredentialSource = (source, outcome, detail = undefined) => {
+    credentialSourceEvaluations.push({
+      detail,
+      outcome,
+      source,
+    });
+    if (outcome === "selected") {
+      selectedCredentialSource = source;
     }
+  };
+  const dockerServerAddress = readEnvironmentVariable("DOCKER_SERVER_ADDRESS");
+  const dockerConfig = readEnvironmentVariable("DOCKER_CONFIG");
+  const dockerAuthConfig = readEnvironmentVariable("DOCKER_AUTH_CONFIG", {
+    sensitive: true,
+  });
+  const dockerUser = readEnvironmentVariable("DOCKER_USER", {
+    sensitive: true,
+  });
+  const dockerPassword = readEnvironmentVariable("DOCKER_PASSWORD", {
+    sensitive: true,
+  });
+  const dockerEmail = readEnvironmentVariable("DOCKER_EMAIL", {
+    sensitive: true,
+  });
+  if (!forRegistry) {
+    forRegistry = dockerServerAddress ?? DOCKER_HUB_REGISTRY;
   }
+  requestedRegistryRef = resolveRequestedRegistryRef(
+    forRegistry,
+    requestedRegistryRef,
+  );
+  const normalizedForRegistry =
+    parseRegistryReference(forRegistry)?.authority ?? forRegistry;
+  const authDecisionTarget =
+    requestedRegistryRef ||
+    normalizedForRegistry ||
+    forRegistry ||
+    DOCKER_HUB_REGISTRY;
   const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
@@ -214,47 +464,64 @@ const getDefaultOptions = (forRegistry) => {
     hooks: { beforeError: [] },
     mutableDefaults: true,
   };
-  const DOCKER_CONFIG = process.env.DOCKER_CONFIG || join(homedir(), ".docker");
+  const DOCKER_CONFIG = dockerConfig || join(homedir(), ".docker");
+  const dockerConfigFile = join(DOCKER_CONFIG, "config.json");
   // Support for private registry
-  if (process.env.DOCKER_AUTH_CONFIG) {
+  if (dockerAuthConfig) {
     opts.headers = {
-      "X-Registry-Auth": process.env.DOCKER_AUTH_CONFIG,
+      "X-Registry-Auth": dockerAuthConfig,
     };
     authTokenSet = true;
+    noteCredentialSource("DOCKER_AUTH_CONFIG", "selected");
+  } else {
+    noteCredentialSource("DOCKER_AUTH_CONFIG", "skipped", "not set");
   }
   if (
     !authTokenSet &&
-    process.env.DOCKER_USER &&
-    process.env.DOCKER_PASSWORD &&
-    process.env.DOCKER_EMAIL &&
-    forRegistry
+    dockerUser &&
+    dockerPassword &&
+    dockerEmail &&
+    normalizedForRegistry
   ) {
     const authPayload = {
-      username: process.env.DOCKER_USER,
-      email: process.env.DOCKER_EMAIL,
-      serveraddress: forRegistry,
+      username: dockerUser,
+      email: dockerEmail,
+      serveraddress: normalizedForRegistry,
     };
-    if (process.env.DOCKER_USER === "<token>") {
-      authPayload.IdentityToken = process.env.DOCKER_PASSWORD;
+    if (dockerUser === "<token>") {
+      authPayload.IdentityToken = dockerPassword;
     } else {
-      authPayload.password = process.env.DOCKER_PASSWORD;
+      authPayload.password = dockerPassword;
     }
     opts.headers = {
       "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
     };
-  }
-  if (!authTokenSet && safeExistsSync(join(DOCKER_CONFIG, "config.json"))) {
-    const configData = readFileSync(
-      join(DOCKER_CONFIG, "config.json"),
-      "utf-8",
+    authTokenSet = true;
+    noteCredentialSource(
+      "DOCKER_USER/DOCKER_PASSWORD/DOCKER_EMAIL",
+      "selected",
     );
+  } else if (!authTokenSet) {
+    noteCredentialSource(
+      "DOCKER_USER/DOCKER_PASSWORD/DOCKER_EMAIL",
+      "skipped",
+      dockerUser || dockerPassword || dockerEmail
+        ? "incomplete environment credentials"
+        : "not set",
+    );
+  }
+  if (!authTokenSet && safeExistsSync(dockerConfigFile)) {
+    const configData = readFileSync(dockerConfigFile, "utf-8");
+    recordSensitiveFileRead(dockerConfigFile, {
+      label: "Docker credential file",
+    });
     if (configData) {
       try {
         const configJson = JSON.parse(configData);
         if (configJson.auths) {
           // Check if there are hardcoded tokens
           for (const serverAddress of Object.keys(configJson.auths)) {
-            if (forRegistry && !serverAddress.includes(forRegistry)) {
+            if (!registriesMatch(serverAddress, requestedRegistryRef)) {
               continue;
             }
             if (configJson.auths[serverAddress].auth) {
@@ -274,6 +541,11 @@ const getDefaultOptions = (forRegistry) => {
                 "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
               };
               authTokenSet = true;
+              noteCredentialSource(
+                "docker-config-auth",
+                "selected",
+                serverAddress,
+              );
               break;
             }
             if (configJson.credsStore) {
@@ -286,6 +558,11 @@ const getDefaultOptions = (forRegistry) => {
                   "X-Registry-Auth": helperAuthToken,
                 };
                 authTokenSet = true;
+                noteCredentialSource(
+                  `docker-credential-helper:${configJson.credsStore}`,
+                  "selected",
+                  serverAddress,
+                );
                 break;
               }
             }
@@ -293,7 +570,7 @@ const getDefaultOptions = (forRegistry) => {
         } else if (configJson.credHelpers) {
           // Support for credential helpers
           for (const serverAddress of Object.keys(configJson.credHelpers)) {
-            if (forRegistry && !serverAddress.includes(forRegistry)) {
+            if (!registriesMatch(serverAddress, requestedRegistryRef)) {
               continue;
             }
             if (configJson.credHelpers[serverAddress]) {
@@ -306,22 +583,40 @@ const getDefaultOptions = (forRegistry) => {
                   "X-Registry-Auth": helperAuthToken,
                 };
                 authTokenSet = true;
+                noteCredentialSource(
+                  `docker-credential-helper:${configJson.credHelpers[serverAddress]}`,
+                  "selected",
+                  serverAddress,
+                );
                 break;
               }
             }
           }
         }
+        if (!authTokenSet) {
+          noteCredentialSource(
+            "docker-config",
+            "skipped",
+            "no matching config.json auth entry",
+          );
+        }
       } catch (_err) {
         // pass
+        noteCredentialSource("docker-config", "skipped", "config parse failed");
       }
     }
+  } else if (!authTokenSet) {
+    noteCredentialSource("docker-config", "skipped", "config.json not found");
   }
   const userInfo = _userInfo();
   opts.podmanPrefixUrl = isWin ? "" : "http://unix:/run/podman/podman.sock:";
   opts.podmanRootlessPrefixUrl = isWin
     ? ""
     : `http://unix:/run/user/${userInfo.uid}/podman/podman.sock:`;
-  if (!process.env.DOCKER_HOST) {
+  const dockerHost = readEnvironmentVariable("DOCKER_HOST");
+  const dockerCertPath = readEnvironmentVariable("DOCKER_CERT_PATH");
+  const dockerTlsVerify = readEnvironmentVariable("DOCKER_TLS_VERIFY");
+  if (!dockerHost) {
     if (isPodman) {
       opts.prefixUrl = isPodmanRootless
         ? opts.podmanRootlessPrefixUrl
@@ -345,7 +640,7 @@ const getDefaultOptions = (forRegistry) => {
       }
     }
   } else {
-    let hostStr = process.env.DOCKER_HOST;
+    let hostStr = dockerHost;
     if (hostStr.startsWith("unix:///")) {
       hostStr = hostStr.replace("unix:///", "http://unix:/");
       if (hostStr.includes("docker.sock")) {
@@ -354,29 +649,54 @@ const getDefaultOptions = (forRegistry) => {
       }
     }
     opts.prefixUrl = hostStr;
-    if (process.env.DOCKER_CERT_PATH) {
+    if (dockerCertPath) {
+      const dockerCertFile = join(dockerCertPath, "cert.pem");
+      const dockerKeyFile = join(dockerCertPath, "key.pem");
+      const dockerCertificate = readFileSync(dockerCertFile, "utf8");
+      recordSensitiveFileRead(dockerCertFile, {
+        label: "Docker client certificate",
+      });
+      const dockerKey = readFileSync(dockerKeyFile, "utf8");
+      recordSensitiveFileRead(dockerKeyFile, {
+        label: "Docker client private key",
+      });
       opts.https = {
-        certificate: readFileSync(
-          join(process.env.DOCKER_CERT_PATH, "cert.pem"),
-          "utf8",
-        ),
-        key: readFileSync(
-          join(process.env.DOCKER_CERT_PATH, "key.pem"),
-          "utf8",
-        ),
+        certificate: dockerCertificate,
+        key: dockerKey,
       };
       // Disable tls on empty values
       // From the docker docs: Setting the DOCKER_TLS_VERIFY environment variable to any value other than the empty string is equivalent to setting the --tlsverify flag
-      if (
-        process.env.DOCKER_TLS_VERIFY &&
-        process.env.DOCKER_TLS_VERIFY === ""
-      ) {
+      if (dockerTlsVerify === "") {
         opts.https.rejectUnauthorized = false;
         console.log("TLS Verification disabled for", hostStr);
       }
     }
   }
 
+  if (!selectedCredentialSource) {
+    noteCredentialSource(
+      "anonymous",
+      "selected",
+      "no credential source resolved",
+    );
+  }
+  const skippedSources = credentialSourceEvaluations
+    .filter((entry) => entry.outcome !== "selected")
+    .map((entry) =>
+      entry.detail ? `${entry.source} (${entry.detail})` : entry.source,
+    );
+  recordDecisionActivity(`docker-auth:${authDecisionTarget}`, {
+    metadata: {
+      decisionType: "credential-source-selection",
+      evaluatedSources: credentialSourceEvaluations.map(
+        ({ detail, outcome, source }) =>
+          detail ? `${source}:${outcome}:${detail}` : `${source}:${outcome}`,
+      ),
+      selectedSource: selectedCredentialSource,
+    },
+    reason: `Selected Docker auth source '${selectedCredentialSource}' for ${authDecisionTarget}. Skipped: ${skippedSources.length ? skippedSources.join(", ") : "none"}.`,
+  });
+
   return opts;
 };
 
@@ -395,7 +715,20 @@ const getDefaultOptions = (forRegistry) => {
  *   daemon base URL, or `undefined`
  */
 export const getConnection = async (options, forRegistry) => {
+  if (isContainerd || isNerdctl) {
+    return undefined;
+  }
   if (isDryRun) {
+    try {
+      getDefaultOptions(forRegistry);
+    } catch (error) {
+      recordActivity({
+        kind: "read",
+        reason: `Dry run mode failed while tracing Docker credential inputs: ${error.message}`,
+        status: "failed",
+        target: error?.path || forRegistry || "container-daemon",
+      });
+    }
     recordActivity({
       kind: "network",
       reason:
@@ -405,9 +738,6 @@ export const getConnection = async (options, forRegistry) => {
     });
     return undefined;
   }
-  if (isContainerd || isNerdctl) {
-    return undefined;
-  }
   if (!dockerConn) {
     const defaultOptions = getDefaultOptions(forRegistry);
     const podmanRootlessUrl = defaultOptions.podmanRootlessPrefixUrl;
@@ -535,7 +865,10 @@ export const makeRequest = async (path, method, forRegistry) => {
   }
   // Use the client's prefixUrl (set correctly by getConnection for
   // docker/podman). Only pass per-request auth headers and method options.
-  const defaultOptions = getDefaultOptions(forRegistry);
+  const defaultOptions = getDefaultOptions(
+    forRegistry,
+    extractRequestedRegistryRefFromPath(path, forRegistry),
+  );
   const opts = {
     responseType: method === "GET" ? "json" : "buffer",
     resolveBodyOnly: true,
@@ -858,13 +1191,17 @@ export const getImage = async (fullImageName) => {
   return localData;
 };
 
+/**
+ * @typedef {{ path: string }} TarReadEntryLike
+ */
+
 /**
  * Warnings such as TAR_ENTRY_INFO are treated as errors in strict mode. While this is mostly desired, we can relax this
  * requirement for one particular warning related to absolute paths.
  * This callback function checks for absolute paths in the entry read from the archive and strips them using a custom
  * method.
  *
- * @param entry {tar.ReadEntry} ReadEntry object from node-tar
+ * @param {TarReadEntryLike} entry ReadEntry object from node-tar
  */
 function handleAbsolutePath(entry) {
   if (entry.path === "/" || win32.isAbsolute(entry.path)) {
@@ -981,34 +1318,36 @@ const EXTRACT_EXCLUDE_TYPES = new Set([
  *   empty or a non-fatal error was encountered
  */
 export const extractTar = async (fullImageName, dir, options) => {
-  if (isDryRun) {
-    recordActivity({
-      kind: "untar",
-      reason:
-        "Dry run mode blocks untar and layer extraction operations because they create files on disk.",
-      status: "blocked",
-      target: `${fullImageName} -> ${dir}`,
-    });
-    return false;
-  }
   try {
-    await stream.pipeline(
-      createReadStream(fullImageName),
-      x({
-        sync: false,
-        preserveOwner: false,
-        noMtime: true,
-        noChmod: true,
-        strict: !NON_STRICT_TAR_EXTRACT,
-        C: dir,
-        portable: true,
-        unlink: true,
-        onwarn: handleTarWarning,
-        onReadEntry: handleAbsolutePath,
-        filter: tarFilter,
-      }),
+    return await safeExtractArchive(
+      fullImageName,
+      dir,
+      async () =>
+        await stream.pipeline(
+          createReadStream(fullImageName),
+          x({
+            sync: false,
+            preserveOwner: false,
+            noMtime: true,
+            noChmod: true,
+            strict: !NON_STRICT_TAR_EXTRACT,
+            C: dir,
+            portable: true,
+            unlink: true,
+            onwarn: handleTarWarning,
+            onReadEntry: handleAbsolutePath,
+            filter: tarFilter,
+          }),
+        ),
+      "untar",
+      {
+        blockedReason:
+          "Dry run mode blocks untar and layer extraction operations because they create files on disk.",
+        metadata: {
+          archiveFormat: "tar",
+        },
+      },
     );
-    return true;
   } catch (err) {
     if (err.code === "EPERM" && err.syscall === "symlink") {
       console.log(
@@ -1382,7 +1721,22 @@ export const extractFromManifest = async (
  * Returns the location of the layers with additional packages related metadata
  */
 export const exportImage = async (fullImageName, options) => {
+  // Safely ignore local directories
+  if (
+    !fullImageName ||
+    fullImageName === "." ||
+    safeExistsSync(resolve(fullImageName))
+  ) {
+    return undefined;
+  }
   if (isDryRun) {
+    const imageDetails = parseImageName(fullImageName);
+    const requestedRegistryRef = imageDetails.registry
+      ? imageDetails.repo
+        ? `${imageDetails.registry}/${imageDetails.repo}`
+        : imageDetails.registry
+      : DOCKER_HUB_REGISTRY;
+    await getConnection({}, requestedRegistryRef);
     recordActivity({
       kind: "container",
       reason:
@@ -1392,14 +1746,6 @@ export const exportImage = async (fullImageName, options) => {
     });
     return undefined;
   }
-  // Safely ignore local directories
-  if (
-    !fullImageName ||
-    fullImageName === "." ||
-    safeExistsSync(resolve(fullImageName))
-  ) {
-    return undefined;
-  }
   // Try to get the data locally first
   const localData = await getImage(fullImageName);
   if (!localData) {
@@ -1694,8 +2040,9 @@ export const removeImage = async (fullImageName, force = false) => {
  *   if the helper is unavailable or returns an error
  */
 export const getCredsFromHelper = (exeSuffix, serverAddress) => {
-  if (registry_auth_keys[serverAddress]) {
-    return registry_auth_keys[serverAddress];
+  const cacheKey = `${exeSuffix}:${normalizeRegistryReference(serverAddress) ?? serverAddress}`;
+  if (registry_auth_keys[cacheKey]) {
+    return registry_auth_keys[cacheKey];
   }
   let credHelperExe = `docker-credential-${exeSuffix}`;
   if (isWin) {
@@ -1711,22 +2058,21 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
   } else if (result.stdout) {
     const cmdOutput = Buffer.from(result.stdout).toString();
     try {
+      const dockerUser = readEnvironmentVariable("DOCKER_USER", {
+        sensitive: true,
+      });
+      const dockerPassword = readEnvironmentVariable("DOCKER_PASSWORD", {
+        sensitive: true,
+      });
       const authPayload = JSON.parse(cmdOutput);
       const fixedAuthPayload = {
-        username:
-          authPayload.username ||
-          authPayload.Username ||
-          process.env.DOCKER_USER,
-        password:
-          authPayload.password ||
-          authPayload.Secret ||
-          process.env.DOCKER_PASSWORD,
-        email:
-          authPayload.email || authPayload.username || process.env.DOCKER_USER,
+        username: authPayload.username || authPayload.Username || dockerUser,
+        password: authPayload.password || authPayload.Secret || dockerPassword,
+        email: authPayload.email || authPayload.username || dockerUser,
         serveraddress: serverAddress,
       };
       const authKey = toBase64Url(JSON.stringify(fixedAuthPayload));
-      registry_auth_keys[serverAddress] = authKey;
+      registry_auth_keys[cacheKey] = authKey;
       return authKey;
     } catch (_err) {
       return undefined;