From e7d78499371de9a65f080a71528935cfb2aa2c24 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 23 Mar 2017 00:55:36 -0400
Subject: [PATCH] Make sure channels and releases match the tag regex

---
 endpoints/appr/registry.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/endpoints/appr/registry.py b/endpoints/appr/registry.py
index 731ecc8d7..2a6c08d60 100644
--- a/endpoints/appr/registry.py
+++ b/endpoints/appr/registry.py
@@ -18,7 +18,7 @@ from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_writ
 from endpoints.appr.decorators import disallow_for_image_repository
 from endpoints.appr.cnr_backend import Package, Channel, Blob
 from endpoints.decorators import anon_allowed, anon_protect
-from util.names import REPOSITORY_NAME_REGEX
+from util.names import REPOSITORY_NAME_REGEX, TAG_REGEX
 
 
 logger = logging.getLogger(__name__)
@@ -244,6 +244,14 @@ def show_channel(namespace, package_name, channel_name):
 @require_app_repo_write
 @anon_protect
 def add_channel_release(namespace, package_name, channel_name, release):
+  if not TAG_REGEX.match(channel_name):
+    logger.debug('Found invalid channel name CNR add channel release: %s', channel_name)
+    raise InvalidUsage()
+
+  if not TAG_REGEX.match(release):
+    logger.debug('Found invalid release name CNR add channel release: %s', release)
+    raise InvalidUsage()
+
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.add_channel_release(reponame, channel_name, release, channel_class=Channel,
                                             package_class=Package)
@@ -259,6 +267,14 @@ def add_channel_release(namespace, package_name, channel_name, release):
 @require_app_repo_write
 @anon_protect
 def delete_channel_release(namespace, package_name, channel_name, release):
+  if not TAG_REGEX.match(channel_name):
+    logger.debug('Found invalid channel name CNR delete channel release: %s', channel_name)
+    raise InvalidUsage()
+
+  if not TAG_REGEX.match(release):
+    logger.debug('Found invalid release name CNR delete channel release: %s', release)
+    raise InvalidUsage()
+
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.delete_channel_release(reponame, channel_name, release,
                                                channel_class=Channel, package_class=Package)
@@ -274,6 +290,10 @@ def delete_channel_release(namespace, package_name, channel_name, release):
 @require_app_repo_write
 @anon_protect
 def delete_channel(namespace, package_name, channel_name):
+  if not TAG_REGEX.match(channel_name):
+    logger.debug('Found invalid channel name CNR delete channel: %s', channel_name)
+    raise InvalidUsage()
+
   reponame = repo_name(namespace, package_name)
   result = cnr_registry.delete_channel(reponame, channel_name, channel_class=Channel)
   return jsonify(result)