Make sure channels and releases match the tag regex

2017-03-23 00:55:36 -04:00 · 2017-03-23 00:55:36 -04:00 · e7d7849937
commit e7d7849937
parent 3277fe9b4e
1 changed files with 21 additions and 1 deletions
--- a/endpoints/appr/registry.py
+++ b/endpoints/appr/registry.py
@ -18,7 +18,7 @@ from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_writ
 from endpoints.appr.decorators import disallow_for_image_repository
 from endpoints.appr.cnr_backend import Package, Channel, Blob
 from endpoints.decorators import anon_allowed, anon_protect
-from util.names import REPOSITORY_NAME_REGEX
+from util.names import REPOSITORY_NAME_REGEX, TAG_REGEX


 logger = logging.getLogger(__name__)
@ -244,6 +244,14 @@ def show_channel(namespace, package_name, channel_name):
@require_app_repo_write
@anon_protect
 def add_channel_release(namespace, package_name, channel_name, release):
+  if not TAG_REGEX.match(channel_name):
+    logger.debug('Found invalid channel name CNR add channel release: %s', channel_name)
+    raise InvalidUsage()
+
+  if not TAG_REGEX.match(release):
+    logger.debug('Found invalid release name CNR add channel release: %s', release)
+    raise InvalidUsage()
+
  reponame = repo_name(namespace, package_name)
  result = cnr_registry.add_channel_release(reponame, channel_name, release, channel_class=Channel,
                                            package_class=Package)
@ -259,6 +267,14 @@ def add_channel_release(namespace, package_name, channel_name, release):
@require_app_repo_write
@anon_protect
 def delete_channel_release(namespace, package_name, channel_name, release):
+  if not TAG_REGEX.match(channel_name):
+    logger.debug('Found invalid channel name CNR delete channel release: %s', channel_name)
+    raise InvalidUsage()
+
+  if not TAG_REGEX.match(release):
+    logger.debug('Found invalid release name CNR delete channel release: %s', release)
+    raise InvalidUsage()
+
  reponame = repo_name(namespace, package_name)
  result = cnr_registry.delete_channel_release(reponame, channel_name, release,
                                               channel_class=Channel, package_class=Package)
@ -274,6 +290,10 @@ def delete_channel_release(namespace, package_name, channel_name, release):
@require_app_repo_write
@anon_protect
 def delete_channel(namespace, package_name, channel_name):
+  if not TAG_REGEX.match(channel_name):
+    logger.debug('Found invalid channel name CNR delete channel: %s', channel_name)
+    raise InvalidUsage()
+
  reponame = repo_name(namespace, package_name)
  result = cnr_registry.delete_channel(reponame, channel_name, channel_class=Channel)
  return jsonify(result)