fix(plugins): Validate PluginInfo.Release version (#812)

spinnaker · May 7, 2020 · 42bc040 · 42bc040
1 parent dd3fd15
commit 42bc040
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/front50-core/src/main/groovy/com/netflix/spinnaker/front50/model/plugins/PluginInfo.java b/front50-core/src/main/groovy/com/netflix/spinnaker/front50/model/plugins/PluginInfo.java
@@ -24,6 +24,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.annotation.Nonnull;
+import javax.validation.Valid;
 import lombok.Data;
 
 /**
@@ -48,7 +49,7 @@ public class PluginInfo implements Timestamped {
   private String provider;
 
   /** A list of plugin releases. */
-  @Nonnull private List<Release> releases = new ArrayList<>();
+  @Valid @Nonnull private List<Release> releases = new ArrayList<>();
 
   /** The time (epoch millis) when the plugin info was first created. */
   private Long createTs;
@@ -76,6 +77,7 @@ public void setReleaseByVersion(String version, Release release) {
   /** A singular {@code PluginInfo} release. */
   @Data
   public static class Release {
+    public static final String VERSION_PATTERN = "^[1-9]\\d*\\.\\d+\\.\\d+(?:-[a-zA-Z0-9]+)?$";
     public static final Pattern SUPPORTS_PATTERN =
         Pattern.compile(
             "^(?<service>[\\w\\-]+)(?<operator>[><=]{1,2})(?<version>[0-9]+\\.[0-9]+\\.[0-9]+)$");
@@ -88,6 +90,7 @@ public static class Release {
      *
      * @link https://semver.org/
      */
+    @javax.validation.constraints.Pattern(regexp = VERSION_PATTERN)
     private String version;
 
     /** The date of the plugin release. */

diff --git a/...0-web/src/main/groovy/com/netflix/spinnaker/front50/controllers/PluginInfoController.java b/...0-web/src/main/groovy/com/netflix/spinnaker/front50/controllers/PluginInfoController.java
@@ -19,8 +19,11 @@
 import com.netflix.spinnaker.front50.model.plugins.PluginInfoService;
 import java.util.Collection;
 import java.util.Optional;
+import javax.validation.Valid;
+import javax.validation.constraints.Pattern;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,6 +34,7 @@
 
 @RestController
 @RequestMapping("/pluginInfo")
+@Validated
 public class PluginInfoController {
 
   private final PluginInfoService pluginInfoService;
@@ -52,7 +56,7 @@ PluginInfo get(@PathVariable String id) {
   }
 
   @RequestMapping(value = "", method = RequestMethod.POST)
-  PluginInfo upsert(@RequestBody PluginInfo pluginInfo) {
+  PluginInfo upsert(@Valid @RequestBody PluginInfo pluginInfo) {
     return pluginInfoService.upsert(pluginInfo);
   }
 
@@ -64,23 +68,26 @@ void delete(@PathVariable String id) {
   }
 
   @RequestMapping(value = "/{id}/releases", method = RequestMethod.POST)
-  PluginInfo createRelease(@PathVariable String id, @RequestBody PluginInfo.Release release) {
+  PluginInfo createRelease(
+      @PathVariable String id, @Valid @RequestBody PluginInfo.Release release) {
     return pluginInfoService.createRelease(id, release);
   }
 
   @PreAuthorize("@fiatPermissionEvaluator.isAdmin()")
   @RequestMapping(value = "/{id}/releases/{releaseVersion}", method = RequestMethod.PUT)
   PluginInfo.Release preferReleaseVersion(
       @PathVariable String id,
-      @PathVariable String releaseVersion,
+      @PathVariable @Pattern(regexp = PluginInfo.Release.VERSION_PATTERN) String releaseVersion,
       @RequestParam(value = "preferred") boolean preferred) {
     return pluginInfoService.preferReleaseVersion(id, releaseVersion, preferred);
   }
 
   @PreAuthorize("@fiatPermissionEvaluator.isAdmin()")
   @RequestMapping(value = "/{id}/releases/{releaseVersion}", method = RequestMethod.DELETE)
   @ResponseStatus(HttpStatus.NO_CONTENT)
-  PluginInfo deleteRelease(@PathVariable String id, @PathVariable String releaseVersion) {
+  PluginInfo deleteRelease(
+      @PathVariable String id,
+      @PathVariable @Pattern(regexp = PluginInfo.Release.VERSION_PATTERN) String releaseVersion) {
     return pluginInfoService.deleteRelease(id, releaseVersion);
   }
 }