-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate ObjectMeta in BeforeCreate #15975
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
/* | ||
Copyright 2015 The Kubernetes Authors All rights reserved. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package validation | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
) | ||
|
||
// NameMayNotBe specifies strings that cannot be used as names specified as path segments (like the REST API or etcd store) | ||
var NameMayNotBe = []string{".", ".."} | ||
|
||
// NameMayNotContain specifies substrings that cannot be used in names specified as path segments (like the REST API or etcd store) | ||
var NameMayNotContain = []string{"/", "%"} | ||
|
||
// ValidatePathSegmentName validates the name can be used as a path segment | ||
func ValidatePathSegmentName(name string, prefix bool) (bool, string) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. prefix is not used? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. none of the places that made use of this method were passing prefix=true, but in the interest of supporting the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks. LGTM. |
||
// Only check for exact matches if this is the full name (not a prefix) | ||
if prefix == false { | ||
for _, illegalName := range NameMayNotBe { | ||
if name == illegalName { | ||
return false, fmt.Sprintf(`name may not be %q`, illegalName) | ||
} | ||
} | ||
} | ||
|
||
for _, illegalContent := range NameMayNotContain { | ||
if strings.Contains(name, illegalContent) { | ||
return false, fmt.Sprintf(`name may not contain %q`, illegalContent) | ||
} | ||
} | ||
|
||
return true, "" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
/* | ||
Copyright 2015 The Kubernetes Authors All rights reserved. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package validation | ||
|
||
import ( | ||
"strings" | ||
"testing" | ||
) | ||
|
||
func TestValidatePathSegmentName(t *testing.T) { | ||
testcases := map[string]struct { | ||
Name string | ||
Prefix bool | ||
ExpectedOK bool | ||
ExpectedMsg string | ||
}{ | ||
"empty": { | ||
Name: "", | ||
Prefix: false, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
"empty,prefix": { | ||
Name: "", | ||
Prefix: true, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
|
||
"valid": { | ||
Name: "foo.bar.baz", | ||
Prefix: false, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
"valid,prefix": { | ||
Name: "foo.bar.baz", | ||
Prefix: true, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
|
||
// Make sure mixed case, non DNS subdomain characters are tolerated | ||
"valid complex": { | ||
Name: "sha256:ABCDEF012345@ABCDEF012345", | ||
Prefix: false, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
// Make sure non-ascii characters are tolerated | ||
"valid extended charset": { | ||
Name: "Iñtërnâtiônàlizætiøn", | ||
Prefix: false, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
|
||
"dot": { | ||
Name: ".", | ||
Prefix: false, | ||
ExpectedOK: false, | ||
ExpectedMsg: ".", | ||
}, | ||
"dot leading": { | ||
Name: ".test", | ||
Prefix: false, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
"dot,prefix": { | ||
Name: ".", | ||
Prefix: true, | ||
ExpectedOK: true, // allowed because a suffix could make it valid | ||
ExpectedMsg: "", | ||
}, | ||
|
||
"dot dot": { | ||
Name: "..", | ||
Prefix: false, | ||
ExpectedOK: false, | ||
ExpectedMsg: "..", | ||
}, | ||
"dot dot leading": { | ||
Name: "..test", | ||
Prefix: false, | ||
ExpectedOK: true, | ||
ExpectedMsg: "", | ||
}, | ||
"dot dot,prefix": { | ||
Name: "..", | ||
Prefix: true, | ||
ExpectedOK: true, // allowed because a suffix could make it valid | ||
ExpectedMsg: "", | ||
}, | ||
|
||
"slash": { | ||
Name: "foo/bar", | ||
Prefix: false, | ||
ExpectedOK: false, | ||
ExpectedMsg: "/", | ||
}, | ||
"slash,prefix": { | ||
Name: "foo/bar", | ||
Prefix: true, | ||
ExpectedOK: false, | ||
ExpectedMsg: "/", | ||
}, | ||
|
||
"percent": { | ||
Name: "foo%bar", | ||
Prefix: false, | ||
ExpectedOK: false, | ||
ExpectedMsg: "%", | ||
}, | ||
"percent,prefix": { | ||
Name: "foo%bar", | ||
Prefix: true, | ||
ExpectedOK: false, | ||
ExpectedMsg: "%", | ||
}, | ||
} | ||
|
||
for k, tc := range testcases { | ||
ok, msg := ValidatePathSegmentName(tc.Name, tc.Prefix) | ||
if ok != tc.ExpectedOK { | ||
t.Errorf("%s: expected ok=%v, got %v", k, tc.ExpectedOK, ok) | ||
} | ||
if len(tc.ExpectedMsg) == 0 && len(msg) > 0 { | ||
t.Errorf("%s: expected no message, got %v", k, msg) | ||
} | ||
if len(tc.ExpectedMsg) > 0 && !strings.Contains(msg, tc.ExpectedMsg) { | ||
t.Errorf("%s: expected message containing %q, got %v", k, tc.ExpectedMsg, msg) | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,10 +17,12 @@ limitations under the License. | |
package storage | ||
|
||
import ( | ||
"fmt" | ||
"strconv" | ||
|
||
"k8s.io/kubernetes/pkg/api/errors" | ||
"k8s.io/kubernetes/pkg/api/meta" | ||
"k8s.io/kubernetes/pkg/api/validation" | ||
"k8s.io/kubernetes/pkg/runtime" | ||
"k8s.io/kubernetes/pkg/util/fielderrors" | ||
) | ||
|
@@ -56,6 +58,10 @@ func NamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) { | |
if err != nil { | ||
return "", err | ||
} | ||
name := meta.Name() | ||
if ok, msg := validation.ValidatePathSegmentName(name, false); !ok { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. All of these can be replaced with pkg/util/validation.IsDNS1123Subdomain(name) (or a local wrapper thereof) and should probably be commented as "sanity checks". There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Object strategies should definitely validate names themselves (like most are already doing). This should be the minimal validation needed to ensure the REST and storage layers can address the stored name There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My point is that your PathSegmentName is redundant with DNS1123Subdomain, which already exists. Less code is more better There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. DNS1123Subdomain is too strict here. There can be valid addressable object names that are not subdomains There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hypothetically. I'm saying I'm OK asserting that any objects we create will be a subdomain or stricter. But it's not a huge deal, I guess. |
||
return "", fmt.Errorf("invalid name: %v", msg) | ||
} | ||
return prefix + "/" + meta.Namespace() + "/" + meta.Name(), nil | ||
} | ||
|
||
|
@@ -64,5 +70,9 @@ func NoNamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) { | |
if err != nil { | ||
return "", err | ||
} | ||
name := meta.Name() | ||
if ok, msg := validation.ValidatePathSegmentName(name, false); !ok { | ||
return "", fmt.Errorf("invalid name: %v", msg) | ||
} | ||
return prefix + "/" + meta.Name(), nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can be simpler, I think. Every single object has a name that is DNS1123Subdomain or stricter. You should just be able to pass pkg/api/validation.go:NameIsDNSSubdomain() here, and get rid of this new impl below...
I'd rather we get more rigorous about validation, but we can get there in the next release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not the case with downstream objects in OpenShift (like users or identities) or third party objects (the semantics of whose names are not known here). This is the minimal validation I could come up with for names used as path segments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @liggitt's point is valid, especially for third party objects, I think it's better to keep the flexibility.