remote: validate foreign layer URLs to prevent SSRF

[AlexJohnWilcox]

Summary

Foreign layer descriptors in OCI/Docker image manifests can contain arbitrary URLs in the urls field (OCI Image Spec). When the registry blob endpoint returns 404, the client fetches these foreign URLs with no validation. A malicious registry can serve manifests with foreign layer URLs pointing to internal services (e.g. cloud metadata at 169.254.169.254, RFC 1918 addresses), causing SSRF from any library consumer.

This PR adds two fixes:

1. Foreign layer URL validation (pkg/v1/remote/image.go)

Adds validateForeignURL() to reject foreign layer URLs that:

• Use non-HTTP(S) schemes (ftp://, file://, etc.)
• Reference private, loopback, link-local, or unspecified IP literals

This is consistent with the existing validateRealmURL() protection added in #2243 for Bearer auth realm URLs. DNS-based SSRF remains out of scope, matching the design decision in validateRealmURL().

2. IsUnspecified gap in validateRealmURL (pkg/v1/remote/transport/bearer.go)

validateRealmURL() checks IsLoopback, IsPrivate, IsLinkLocalUnicast, and IsLinkLocalMulticast but not IsUnspecified. The addresses 0.0.0.0 and [::] pass all four checks but connect to localhost on Linux/macOS. Adds ip.IsUnspecified() to close this gap.

Test plan

• Added TestValidateForeignURL — table-driven unit test (12 cases covering public, private, loopback, link-local, unspecified IPs and disallowed schemes)
• Added TestPullingForeignLayerSSRF — integration test that verifies pulling an image with a foreign layer URL pointing to 169.254.169.254 is rejected
• Added TestValidateRealmURL — table-driven unit test (11 cases including 0.0.0.0 and [::])
• Existing TestPullingForeignLayer updated and passing
• Full go test ./pkg/v1/remote/ ./pkg/v1/remote/transport/ passes

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.05%. Comparing base (8b3c303) to head (9f6bd52).
⚠️ Report is 86 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (8b3c303) and HEAD (9f6bd52). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (8b3c303)	HEAD (9f6bd52)
	2	1

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2259       +/-   ##
===========================================
- Coverage   71.67%   53.05%   -18.63%     
===========================================
  Files         123      165       +42     
  Lines        9935    11219     +1284     
===========================================
- Hits         7121     5952     -1169     
- Misses       2115     4555     +2440     
- Partials      699      712       +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.