Prevent unsanitized input when creating new environments in osctrl-admin#777
Prevent unsanitized input when creating new environments in osctrl-admin#777
osctrl-admin#777Conversation
javuto
added
osctrl-admin
There was a problem hiding this comment.
Pull request overview
This PR introduces input validation filters to prevent command injection and other security vulnerabilities when creating, editing, or deleting environments in osctrl-admin. The changes add regex-based validation for environment names, icons, hostnames, types, and UUIDs, along with comprehensive test coverage.
Changes:
- Added new filter functions with regex validation for environment-related fields (name, icon, hostname, type, UUID)
- Applied validation filters to the environment POST handler for create, delete, and edit actions
- Added comprehensive unit tests covering valid and invalid inputs for all filter functions
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| pkg/environments/filters.go | Introduces 5 filter functions with regex patterns to validate environment input fields and prevent injection attacks |
| pkg/environments/filters_test.go | Adds comprehensive test coverage with 503 test cases covering edge cases and special characters for all filter functions |
| cmd/admin/handlers/post.go | Applies input validation to environment POST handler's create, delete, and edit actions |
Comments suppressed due to low confidence (1)
cmd/admin/handlers/post.go:892
- The "edit" case is missing hostname validation. The code calls UpdateHostname with c.Hostname but doesn't verify that the hostname is valid using HostnameFilter. This creates an inconsistency with the "create" case and could allow unsanitized input to be used when updating hostnames. Consider adding hostname validation before calling UpdateHostname.
case "edit":
// Verify request fields
if !environments.EnvUUIDFilter(c.UUID) {
adminErrorResponse(w, "invalid environment UUID", http.StatusInternalServerError, nil)
return
}
if h.Envs.Exists(c.UUID) {
if err := h.Envs.UpdateHostname(c.UUID, c.Hostname); err != nil {
adminErrorResponse(w, "error updating hostname", http.StatusInternalServerError, err)
return
}
}
adminOKResponse(w, "debug changed successfully")
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func IconFilter(s string) bool { | ||
| // regex to only allow lowercase letters, numbers, dashes and underscores | ||
| re := regexp.MustCompile(iconRegex) | ||
| return re.MatchString(s) |
There was a problem hiding this comment.
The regex is compiled on every call to IconFilter, which is inefficient. Consider compiling the regex once at package initialization using a package-level variable or sync.Once to avoid repeated compilation overhead. The same issue applies to HostnameFilter, EnvNameFilter, and EnvUUIDFilter functions.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 participant
Prevent issues such as command injection with the verification of all fields when creating a new environment.