chore: Improve the Base64Provider resilience to malformed configuration files

src/Testcontainers/Builders/Base64Provider.cs

@@ -72,12 +72,20 @@ public IDockerRegistryAuthenticationConfiguration GetAuthConfig(string hostname)
         return null;
       }
 
-      if (string.IsNullOrEmpty(auth.GetString()))
+      var authValue = JsonValueKind.String.Equals(auth.ValueKind) ? auth.GetString() : null;
+
+      if (string.IsNullOrEmpty(authValue))
+      {
+        return null;
+      }
+
+      var credentialInBytes = DecodeBase64String(authValue);
+
+      if (credentialInBytes == null)
       {
         return null;
       }
 
-      var credentialInBytes = Convert.FromBase64String(auth.GetString());
       var credential = Encoding.UTF8.GetString(credentialInBytes).Split(new[] { ':' }, 2);
 
       if (credential.Length != 2)
@@ -88,5 +96,18 @@ public IDockerRegistryAuthenticationConfiguration GetAuthConfig(string hostname)
       _logger.DockerRegistryCredentialFound(hostname);
       return new DockerRegistryAuthenticationConfiguration(authProperty.Name, credential[0], credential[1]);
     }
+
+    [CanBeNull]
+    private static byte[] DecodeBase64String(string base64)
+    {
+      try
+      {
+        return Convert.FromBase64String(base64);
+      }
+      catch (FormatException)
+      {
+        return null;
+      }
+    }
   }
 }

tests/Testcontainers.Tests/Unit/Builders/Base64ProviderTest.cs

@@ -0,0 +1,65 @@
+using System.Text.Json;
+using DotNet.Testcontainers.Builders;
+using Microsoft.Extensions.Logging.Abstractions;
+using Xunit;
+
+namespace DotNet.Testcontainers.Tests.Unit
+{
+  public class Base64ProviderTest
+  {
+    [Fact]
+    public void ShouldDecodeAuth()
+    {
+      // Given
+      // lang=json
+      const string config = """
+      {
+        "auths": {
+          "https://index.docker.io/v1/": {
+            "auth": "dXNlcjpwYXNzd29yZA=="
+          }
+        }
+      }
+      """;
+      var provider = new Base64Provider(JsonDocument.Parse(config), NullLogger.Instance);
+
+      // When
+      var authConfig = provider.GetAuthConfig("https://index.docker.io/v1/");
+
+      // Then
+      Assert.NotNull(authConfig);
+      Assert.Equal("https://index.docker.io/v1/", authConfig.RegistryEndpoint);
+      Assert.Equal("user", authConfig.Username);
+      Assert.Equal("password", authConfig.Password);
+      Assert.Null(authConfig.IdentityToken);
+    }
+
+    [Theory]
+    [InlineData("{}")]
+    [InlineData("null")]
+    [InlineData("\"not base 64\"")]
+    [InlineData("\"ww==\"")] // invalid UTF8 (single 0xC3 byte)
+    [InlineData("\"Xw==\"")] // valid base 64 but contains no colon separator
+    public void ShouldNotDecodeAuth(string auth)
+    {
+      // Given
+      // lang=json
+      var config = $$"""
+      {
+        "auths": {
+          "https://index.docker.io/v1/": {
+            "auth": {{auth}}
+          }
+        }
+      }
+      """;
+      var provider = new Base64Provider(JsonDocument.Parse(config), NullLogger.Instance);
+
+      // When
+      var authConfig = provider.GetAuthConfig("https://index.docker.io/v1/");
+
+      // Then
+      Assert.Null(authConfig);
+    }
+  }
+}