From f393236c9f7f1aff608b09c50e89b481d04b117d Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 5 Oct 2015 14:19:52 -0400
Subject: [PATCH] Add repo name check to V2

Fixes #592
---
 endpoints/v2/v2auth.py |  8 ++++++--
 test/registry_tests.py | 11 +++++++++--
 util/names.py          |  2 ++
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/endpoints/v2/v2auth.py b/endpoints/v2/v2auth.py
index a4129a23c..7c6a14d92 100644
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@@ -17,10 +17,9 @@ from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermissi
                               CreateRepositoryPermission)
 from endpoints.v2 import v2_bp
 from util.cache import no_cache
-from util.names import parse_namespace_repository
+from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
 from endpoints.decorators import anon_protect
 
-
 logger = logging.getLogger(__name__)
 
 
@@ -73,6 +72,11 @@ def generate_registry_jwt():
     actions = match.group(2).split(',')
 
     namespace, reponame = parse_namespace_repository(namespace_and_repo)
+
+    # Ensure that we are never creating an invalid repository.
+    if not REPOSITORY_NAME_REGEX.match(reponame):
+      abort(400)
+
     if 'pull' in actions and 'push' in actions:
       if user is None:
         abort(401)
diff --git a/test/registry_tests.py b/test/registry_tests.py
index a068f385a..be88bed24 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -377,14 +377,18 @@ class V2RegistryMixin(BaseRegistryMixin):
 
 class V2RegistryPushMixin(V2RegistryMixin):
   def do_push(self, namespace, repository, username, password, images=None, tag_name=None,
-              cancel=False, invalid=False, expected_manifest_code=202):
+              cancel=False, invalid=False, expected_manifest_code=202, expected_auth_code=200):
     images = images or self._get_default_images()
 
     # Ping!
     self.v2_ping()
 
     # Auth.
-    self.do_auth(username, password, namespace, repository, scopes=['push', 'pull'])
+    self.do_auth(username, password, namespace, repository, scopes=['push', 'pull'],
+                 expected_code=expected_auth_code)
+
+    if expected_auth_code != 200:
+      return
 
     # Build a fake manifest.
     tag_name = tag_name or 'latest'
@@ -816,6 +820,9 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
 
     self.do_push('devtable', 'newrepo', 'devtable', 'password', images=images)
 
+  def test_invalid_regname(self):
+    self.do_push('devtable', 'this/is/a/repo', 'devtable', 'password', expected_auth_code=400)
+
   def test_multiple_tags(self):
     latest_images = [
       {
diff --git a/util/names.py b/util/names.py
index f37f0135d..376c74b21 100644
--- a/util/names.py
+++ b/util/names.py
@@ -1,8 +1,10 @@
 import urllib
+import re
 
 from functools import wraps
 from uuid import uuid4
 
+REPOSITORY_NAME_REGEX = re.compile(r'^[\.a-zA-Z0-9_-]+$')
 
 def parse_namespace_repository(repository, include_tag=False):
   parts = repository.rstrip('/').split('/', 1)