d27adc040d
Validate app names in both HandleAppCreate and HandleAppUpdate using a regex pattern matching the client-side HTML pattern: lowercase alphanumeric and hyphens, 2-63 chars, must start and end with alphanumeric character. This prevents Docker API errors, path traversal, and log injection from crafted POST requests bypassing browser validation.
49 lines
1.3 KiB
Go
49 lines
1.3 KiB
Go
package handlers //nolint:testpackage // testing unexported validateAppName
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func TestValidateAppName(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
tests := []struct {
|
|
name string
|
|
input string
|
|
wantErr bool
|
|
}{
|
|
{"valid simple", "myapp", false},
|
|
{"valid with hyphen", "my-app", false},
|
|
{"valid with numbers", "app123", false},
|
|
{"valid two chars", "ab", false},
|
|
{"valid complex", "my-cool-app-v2", false},
|
|
{"valid all numbers", "123", false},
|
|
{"empty", "", true},
|
|
{"single char", "a", true},
|
|
{"too long", "a" + string(make([]byte, 63)), true},
|
|
{"exactly 63 chars", "a23456789012345678901234567890123456789012345678901234567890123", false},
|
|
{"64 chars", "a234567890123456789012345678901234567890123456789012345678901234", true},
|
|
{"uppercase", "MyApp", true},
|
|
{"spaces", "my app", true},
|
|
{"starts with hyphen", "-myapp", true},
|
|
{"ends with hyphen", "myapp-", true},
|
|
{"underscore", "my_app", true},
|
|
{"dot", "my.app", true},
|
|
{"slash", "my/app", true},
|
|
{"path traversal", "../etc/passwd", true},
|
|
{"special chars", "app@name!", true},
|
|
{"unicode", "appñame", true},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
err := validateAppName(tt.input)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("validateAppName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
|
|
}
|
|
})
|
|
}
|
|
}
|