BUG: App name not validated server-side, only client-side HTML pattern #37

Closed
opened 2026-02-16 06:56:32 +01:00 by clawbot · 1 comment
Collaborator

Severity: MEDIUM

File: internal/handlers/app.go lines 44-79 (HandleAppCreate, HandleAppUpdate)

Description

The app name is used directly in:

  • Docker container names: "upaas-" + app.Name (deploy.go)
  • Docker image tags: "upaas-%s:%d" (deploy.go)
  • File system paths for build dirs and log files (deploy.go)
  • The HTML pattern="[a-z0-9-]+" attribute is only client-side validation

A crafted POST request bypassing the browser can submit names with spaces, special characters, path separators, etc., potentially causing:

  • Docker API errors with invalid container/image names
  • Path traversal in build directories
  • Log injection via app names in log messages

Suggested Fix

Add server-side validation matching the client-side pattern:

var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)

func validateAppName(name string) error {
    if len(name) < 2 || len(name) > 63 {
        return fmt.Errorf("name must be 2-63 characters")
    }
    if !validAppNameRe.MatchString(name) {
        return fmt.Errorf("name must contain only lowercase letters, numbers, and hyphens")
    }
    return nil
}

Apply this in both HandleAppCreate and HandleAppUpdate.

## Severity: MEDIUM ## File: `internal/handlers/app.go` lines 44-79 (HandleAppCreate, HandleAppUpdate) ## Description The app name is used directly in: - Docker container names: `"upaas-" + app.Name` (deploy.go) - Docker image tags: `"upaas-%s:%d"` (deploy.go) - File system paths for build dirs and log files (deploy.go) - The HTML `pattern="[a-z0-9-]+"` attribute is only client-side validation A crafted POST request bypassing the browser can submit names with spaces, special characters, path separators, etc., potentially causing: - Docker API errors with invalid container/image names - Path traversal in build directories - Log injection via app names in log messages ## Suggested Fix Add server-side validation matching the client-side pattern: ```go var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`) func validateAppName(name string) error { if len(name) < 2 || len(name) > 63 { return fmt.Errorf("name must be 2-63 characters") } if !validAppNameRe.MatchString(name) { return fmt.Errorf("name must contain only lowercase letters, numbers, and hyphens") } return nil } ``` Apply this in both `HandleAppCreate` and `HandleAppUpdate`.
Owner

yes. give me a PR

yes. give me a PR
sneak closed this issue 2026-02-16 07:07:48 +01:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#37
No description provided.