docker credential JSON: validate non UTF-8 characters

What happened?

Using base64 encoding, it’s possible to include arbitrary data (including non-UTF-8 strings) that can pass Kubernetes validation. While this may be a minor issue within Kubernetes itself and likely not exploitable directly, it could pose a risk to external systems that consume these secrets. If such systems assume UTF-8 encoding, they might be vulnerable to unexpected behavior or exploitation.

What did you expect to happen?

The input should be rejected with an "invalid UTF-8" error.

How can we reproduce it (as minimally and precisely as possible)?

A test case for https://github.com/kubernetes/kubernetes/blob/a647c6a8893df95050d6acbd60850df420d90518/pkg/credentialprovider/config_test.go#L122

// auth field decodes to username & password with non UTF-8 characters
{
	input: []byte(`{"auth": "YcV6OmHFeg==", "email": "foo@example.com"}`),
	expect: DockerConfigEntry{
		Username: "a\xc5z",
		Password: "a\xc5z",
		Email:    "foo@example.com",
	},
	fail: false,
},

I'd expect this input to fail with invalid character error

s := string(decoded)
if !utf8.ValidString(s) {
	return "", "", errors.New("invalid UTF-8")
}
parts := strings.SplitN(s, ":", 2)

https://github.com/kubernetes/kubernetes/blob/a647c6a8893df95050d6acbd60850df420d90518/pkg/credentialprovider/config.go#L303

Anything else we need to know?

No response

Kubernetes version

master

Cloud provider

OS version

Install tools

No response

Container runtime (CRI) and version (if applicable)

No response

Related plugins (CNI, CSI, ...) and versions (if applicable)

No response