sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

BUG: App name not validated server-side, only client-side HTML pattern #37

New Issue
Closed
opened 2026-02-16 06:56:32 +01:00 by clawbot · 1 comment
clawbot commented 2026-02-16 06:56:32 +01:00
Collaborator
Copy Link

Severity: MEDIUM

File: internal/handlers/app.go lines 44-79 (HandleAppCreate, HandleAppUpdate)

Description

The app name is used directly in:

  • Docker container names: "upaas-" + app.Name (deploy.go)
  • Docker image tags: "upaas-%s:%d" (deploy.go)
  • File system paths for build dirs and log files (deploy.go)
  • The HTML pattern="[a-z0-9-]+" attribute is only client-side validation

A crafted POST request bypassing the browser can submit names with spaces, special characters, path separators, etc., potentially causing:

  • Docker API errors with invalid container/image names
  • Path traversal in build directories
  • Log injection via app names in log messages

Suggested Fix

Add server-side validation matching the client-side pattern:

var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)

func validateAppName(name string) error {
    if len(name) < 2 || len(name) > 63 {
        return fmt.Errorf("name must be 2-63 characters")
    }
    if !validAppNameRe.MatchString(name) {
        return fmt.Errorf("name must contain only lowercase letters, numbers, and hyphens")
    }
    return nil
}

Apply this in both HandleAppCreate and HandleAppUpdate.

## Severity: MEDIUM ## File: `internal/handlers/app.go` lines 44-79 (HandleAppCreate, HandleAppUpdate) ## Description The app name is used directly in: - Docker container names: `"upaas-" + app.Name` (deploy.go) - Docker image tags: `"upaas-%s:%d"` (deploy.go) - File system paths for build dirs and log files (deploy.go) - The HTML `pattern="[a-z0-9-]+"` attribute is only client-side validation A crafted POST request bypassing the browser can submit names with spaces, special characters, path separators, etc., potentially causing: - Docker API errors with invalid container/image names - Path traversal in build directories - Log injection via app names in log messages ## Suggested Fix Add server-side validation matching the client-side pattern: ```go var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`) func validateAppName(name string) error { if len(name) < 2 || len(name) > 63 { return fmt.Errorf("name must be 2-63 characters") } if !validAppNameRe.MatchString(name) { return fmt.Errorf("name must contain only lowercase letters, numbers, and hyphens") } return nil } ``` Apply this in both `HandleAppCreate` and `HandleAppUpdate`.
sneak commented 2026-02-16 07:02:22 +01:00
Owner
Copy Link

yes. give me a PR

yes. give me a PR
sneak closed this issue 2026-02-16 07:07:48 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#37
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?