d27adc040d
Validate app names in both HandleAppCreate and HandleAppUpdate using a regex pattern matching the client-side HTML pattern: lowercase alphanumeric and hyphens, 2-63 chars, must start and end with alphanumeric character. This prevents Docker API errors, path traversal, and log injection from crafted POST requests bypassing browser validation.
45 lines
1.1 KiB
Go
45 lines
1.1 KiB
Go
package handlers
|
|
|
|
import (
|
|
"errors"
|
|
"regexp"
|
|
"strconv"
|
|
)
|
|
|
|
const (
|
|
// appNameMinLength is the minimum allowed length for an app name.
|
|
appNameMinLength = 2
|
|
// appNameMaxLength is the maximum allowed length for an app name.
|
|
appNameMaxLength = 63
|
|
)
|
|
|
|
// validAppNameRe matches names containing only lowercase alphanumeric characters and
|
|
// hyphens, starting and ending with an alphanumeric character.
|
|
var validAppNameRe = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*[a-z0-9]$`)
|
|
|
|
// validateAppName checks that the given app name is safe for use in Docker
|
|
// container names, image tags, and file system paths.
|
|
var (
|
|
errAppNameLength = errors.New(
|
|
"app name must be between " +
|
|
strconv.Itoa(appNameMinLength) + " and " +
|
|
strconv.Itoa(appNameMaxLength) + " characters",
|
|
)
|
|
errAppNamePattern = errors.New(
|
|
"app name must contain only lowercase letters, numbers, " +
|
|
"and hyphens, and must start and end with a letter or number",
|
|
)
|
|
)
|
|
|
|
func validateAppName(name string) error {
|
|
if len(name) < appNameMinLength || len(name) > appNameMaxLength {
|
|
return errAppNameLength
|
|
}
|
|
|
|
if !validAppNameRe.MatchString(name) {
|
|
return errAppNamePattern
|
|
}
|
|
|
|
return nil
|
|
}
|