fork 自 sneak/upaas
d27adc040d
Validate app names in both HandleAppCreate and HandleAppUpdate using a regex pattern matching the client-side HTML pattern: lowercase alphanumeric and hyphens, 2-63 chars, must start and end with alphanumeric character. This prevents Docker API errors, path traversal, and log injection from crafted POST requests bypassing browser validation.
49 行
1.3 KiB
Go
49 行
1.3 KiB
Go
package handlers //nolint:testpackage // testing unexported validateAppName
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func TestValidateAppName(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
tests := []struct {
|
|
name string
|
|
input string
|
|
wantErr bool
|
|
}{
|
|
{"valid simple", "myapp", false},
|
|
{"valid with hyphen", "my-app", false},
|
|
{"valid with numbers", "app123", false},
|
|
{"valid two chars", "ab", false},
|
|
{"valid complex", "my-cool-app-v2", false},
|
|
{"valid all numbers", "123", false},
|
|
{"empty", "", true},
|
|
{"single char", "a", true},
|
|
{"too long", "a" + string(make([]byte, 63)), true},
|
|
{"exactly 63 chars", "a23456789012345678901234567890123456789012345678901234567890123", false},
|
|
{"64 chars", "a234567890123456789012345678901234567890123456789012345678901234", true},
|
|
{"uppercase", "MyApp", true},
|
|
{"spaces", "my app", true},
|
|
{"starts with hyphen", "-myapp", true},
|
|
{"ends with hyphen", "myapp-", true},
|
|
{"underscore", "my_app", true},
|
|
{"dot", "my.app", true},
|
|
{"slash", "my/app", true},
|
|
{"path traversal", "../etc/passwd", true},
|
|
{"special chars", "app@name!", true},
|
|
{"unicode", "appñame", true},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
err := validateAppName(tt.input)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("validateAppName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
|
|
}
|
|
})
|
|
}
|
|
}
|