weldr: validate external ostree ref

Validates the ref only when supplied through the API (i.e., doesn't validate built-in defaults). Regex matches ostree internal and cockpit-composer UI validation. Added test case to compose API test.
2021-03-25 12:15:39 +01:00 · 2021-03-25 12:15:39 +01:00 · c1355c2d06
commit c1355c2d06
parent b0ca1a6919
2 changed files with 16 additions and 0 deletions
--- a/internal/weldr/api.go
+++ b/internal/weldr/api.go
@ -89,6 +89,7 @@ func (api *API) systemRepoNames() (names []string) {
 }

 var ValidBlueprintName = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
+var ValidOSTreeRef = regexp.MustCompile(`^(?:[\w\d][-._\w\d]*\/)*[\w\d][-._\w\d]*$`)

 func New(rpmmd rpmmd.RPMMD, arch distro.Arch, distro distro.Distro, repos []rpmmd.RepoConfig, logger *log.Logger, store *store.Store, workers *worker.Server, compatOutputDir string) *API {
 	api := &API{
@ -372,6 +373,18 @@ func verifyStringsWithRegex(writer http.ResponseWriter, strings []string, re *re
 	return true
 }

+func verifyOSTreeRef(writer http.ResponseWriter, ref string, re *regexp.Regexp) bool {
+	if len(ref) > 0 && re.MatchString(ref) {
+		return true
+	}
+	errors := responseError{
+		ID:  "InvalidChars",
+		Msg: "Invalid ostree ref",
+	}
+	statusResponseError(writer, http.StatusBadRequest, errors)
+	return false
+}
+
 func statusResponseError(writer http.ResponseWriter, code int, errors ...responseError) {
 	type reply struct {
 		Status bool            `json:"status"`
@ -1902,6 +1915,8 @@ func (api *API) composeHandler(writer http.ResponseWriter, request *http.Request
 	// set default ostree ref, if one not provided
 	if cr.OSTree.Ref == "" {
 		cr.OSTree.Ref = imageType.OSTreeRef()
+	} else if !verifyOSTreeRef(writer, cr.OSTree.Ref, ValidOSTreeRef) {
+		return
 	}

 	if !verifyStringsWithRegex(writer, []string{cr.BlueprintName}, ValidBlueprintName) {
--- a/internal/weldr/api_test.go
+++ b/internal/weldr/api_test.go
@ -679,6 +679,7 @@ func TestCompose(t *testing.T) {
 		{false, "POST", "/api/v1/compose", `{"blueprint_name": "test","compose_type":"qcow2","branch":"master","ostree":{"ref":"refid","parent":"parentid","url":""}}`, http.StatusOK, `{"status": true}`, expectedComposeOSTreeRef, []string{"build_id"}},
 		{false, "POST", "/api/v1/compose?test=2", `{"blueprint_name": "test","compose_type":"qcow2","branch":"master","ostree":{"ref":"refid","parent":"","url":"http://ostree/"}}`, http.StatusOK, `{"status": true}`, expectedComposeOSTreeURL, []string{"build_id"}},
 		{false, "POST", "/api/v1/compose", `{"blueprint_name": "test","compose_type":"qcow2","branch":"master","ostree":{"ref":"refid","parent":"","url":"invalid-url"}}`, http.StatusBadRequest, `{"status":false,"errors":[{"id":"OSTreeCommitError","msg":"Get \"invalid-url/refs/heads/refid\": unsupported protocol scheme \"\""}]}`, nil, []string{"build_id"}},
+		{false, "POST", "/api/v1/compose", `{"blueprint_name": "test","compose_type":"qcow2","branch":"master","ostree":{"ref":"/bad/ref","parent":"","url":"http://ostree/"}}`, http.StatusBadRequest, `{"status":false,"errors":[{"id":"InvalidChars","msg":"Invalid ostree ref"}]}`, expectedComposeOSTreeURL, []string{"build_id"}},
 	}

 	tempdir, err := ioutil.TempDir("", "weldr-tests-")