[ACR] az acr login: harden binary resolution and credential passing

[lizMSFT]

Related command
az acr login

Description
Harden Docker/Podman binary resolution and credential passing in az acr login:

• Validate the resolved Docker/Podman binary path before invoking it
• Switch credential passing from --password (command-line argument) to --password-stdin (stdin pipe)
• Add DOCKER_COMMAND environment variable support for specifying a trusted absolute path to the binary
• Refactor get_docker_command() into smaller helper functions for clarity
• Add unit tests for the new path validation logic.

Testing Guide

# Normal login (should work as before)
az acr login -n <registry>

History Notes
[ACR] az acr login: Harden binary resolution and credential passing

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull request overview

Hardens az acr login by validating the resolved docker/podman binary path (rejecting binaries located directly in CWD) and switching credential passing from --password (CLI arg, visible in process listings) to --password-stdin (piped via stdin). The get_docker_command flow is also refactored into smaller helpers and a DOCKER_COMMAND env var is honored as a trusted absolute-path override.

Changes:

• Switch _perform_registry_login to --password-stdin with BrokenPipeError/OSError handling and an updated wincred retry path.
• Add _validate_command_path to refuse binaries resolved from CWD, with a diagnostics-mode soft path; integrate it into a new _resolve_docker_command helper plus _try_wsl_exe_fallback.
• Add a unit test module covering CWD-block, system-path-allow, Windows-path, diagnostics, and symlink-bypass cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/azure-cli/azure/cli/command_modules/acr/custom.py	Refactors get_docker_command, adds CWD path validation, switches docker login to --password-stdin.
src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_docker_path_validation.py	New unit tests covering _validate_command_path behavior on POSIX, Windows, diagnostics, and symlink scenarios.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.