Merge pull request #5292 from openshift-cherrypick-robot/cherry-pick-5253-to-release-4.20

[release-4.20] OCPBUGS-61882: Add nil/null checks to image registry secret decode

Author: sdodson

pkg/secrets/secrets.go

@@ -186,17 +186,28 @@ func newImageRegistrySecretFromDockerConfigBytes(in []byte) (ImageRegistrySecret
 		return nil, fmt.Errorf("empty dockerconfig bytes")
 	}
 
+	// Check if the input is just the JSON null literal
+	if bytes.TrimSpace(in) != nil && string(bytes.TrimSpace(in)) == "null" {
+		return nil, fmt.Errorf("dockerconfig bytes contain JSON null")
+	}
+
 	errs := []error{}
 
 	cfg, err := decodeDockerConfigJSONBytes(in)
 	if err == nil {
+		if cfg == nil {
+			return nil, fmt.Errorf("decoded DockerConfigJSONBytes is nil")
+		}
 		return &imageRegistrySecretImpl{cfg: *cfg, isLegacyStyle: false}, nil
 	}
 
 	errs = append(errs, err)
 
 	auths, err := decodeDockercfgBytes(in)
 	if err == nil {
+		if auths == nil {
+			return nil, fmt.Errorf("decoded DockercfgBytes is nil")
+		}
 		return &imageRegistrySecretImpl{cfg: DockerConfigJSON{Auths: *auths}, isLegacyStyle: true}, nil
 	}