clawbot/secret
1
0
Fork 0
forked from sneak/secret
Code Pull Requests Activity

Allow uppercase letters in secret names (closes #2)

Browse Source 
The isValidSecretName() regex only allowed lowercase letters [a-z], rejecting
valid secret names containing uppercase characters (e.g. AWS access key IDs).

Changed regex from ^[a-z0-9\.\-\_\/]+$ to ^[a-zA-Z0-9\.\-\_\/]+$ and added
tests for uppercase secret names in both vault and secret packages.
This commit is contained in:
user 2026-02-15 14:03:50 -08:00
parent 6ff00c696a
commit 0307f23024
3 changed files with 49 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/secret/secret_test.go
View File

@ -257,9 +257,10 @@ func isValidSecretName(name string) bool {
if name == "" { if name == "" {
return false return false
} }
// Valid characters for secret names: lowercase letters, numbers, dash, dot, underscore, slash // Valid characters for secret names: letters, numbers, dash, dot, underscore, slash
for _, char := range name { for _, char := range name {
if (char < 'a' || char > 'z') && // lowercase letters if (char < 'a' || char > 'z') && // lowercase letters
(char < 'A' || char > 'Z') && // uppercase letters
(char < '0' || char > '9') && // numbers (char < '0' || char > '9') && // numbers
char != '-' && // dash char != '-' && // dash
char != '.' && // dot char != '.' && // dot
@ -283,7 +284,9 @@ func TestSecretNameValidation(t *testing.T) {
{"valid/path/name", true}, {"valid/path/name", true},
{"123valid", true}, {"123valid", true},
{"", false}, {"", false},
{"Invalid-Name", false}, // uppercase not allowed {"Valid-Upper-Name", true}, // uppercase allowed
{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
{"MixedCase/Path/Name", true}, // mixed case with path
{"invalid name", false}, // space not allowed {"invalid name", false}, // space not allowed
{"invalid@name", false}, // @ not allowed {"invalid@name", false}, // @ not allowed
} }

4
internal/vault/secrets.go
View File

@ -67,7 +67,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
return secrets, nil return secrets, nil
} }
// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+ // isValidSecretName validates secret names according to the format [a-zA-Z0-9\.\-\_\/]+
// but with additional restrictions: // but with additional restrictions:
// - No leading or trailing slashes // - No leading or trailing slashes
// - No double slashes // - No double slashes
@ -93,7 +93,7 @@ func isValidSecretName(name string) bool {
} }
// Check the basic pattern // Check the basic pattern
matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name) matched, _ := regexp.MatchString(`^[a-zA-Z0-9\.\-\_\/]+$`, name)
return matched return matched
} }

42
internal/vault/secrets_name_test.go Normal file
View File

@ -0,0 +1,42 @@
package vault
import "testing"
func TestIsValidSecretNameUppercase(t *testing.T) {
tests := []struct {
name string
valid bool
}{
// Lowercase (existing behavior)
{"valid-name", true},
{"valid.name", true},
{"valid_name", true},
{"valid/path/name", true},
{"123valid", true},
// Uppercase (new behavior - issue #2)
{"Valid-Upper-Name", true},
{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},
{"MixedCase/Path/Name", true},
{"ALLUPPERCASE", true},
{"ABC123", true},
// Still invalid
{"", false},
{"invalid name", false},
{"invalid@name", false},
{".dotstart", false},
{"/leading-slash", false},
{"trailing-slash/", false},
{"double//slash", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := isValidSecretName(tt.name)
if result != tt.valid {
t.Errorf("isValidSecretName(%q) = %v, want %v", tt.name, result, tt.valid)
}
})
}
}