vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Disallow dots in repository names to fix reflected text "attack"

Browse source 
Fixes https://jira.coreos.com/browse/QS-125
This commit is contained in:
Joseph Schorr 2018-01-18 13:19:37 -05:00
parent b29e8202e5
commit ede3a81c68
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/test_api_usage.py
View file

@ -2241,7 +2241,7 @@ class TestGetRepository(ApiTestCase):
def test_getrepo_badnames(self): def test_getrepo_badnames(self):
self.login(ADMIN_ACCESS_USER) self.login(ADMIN_ACCESS_USER)
bad_names = ['logs', 'build', 'tokens', 'foo.bar', 'foo-bar', 'foo_bar'] bad_names = ['logs', 'build', 'tokens', 'foo-bar', 'foo_bar']
# For each bad name, create the repo. # For each bad name, create the repo.
for bad_name in bad_names: for bad_name in bad_names:

2
util/names.py
View file

@ -5,7 +5,7 @@ import anunidecode # Don't listen to pylint's lies. This import is required for
from uuid import uuid4 from uuid import uuid4
REPOSITORY_NAME_REGEX = re.compile(r'^[\.a-zA-Z0-9_-]+$') REPOSITORY_NAME_REGEX = re.compile(r'^[a-zA-Z0-9_-]+$')
VALID_TAG_PATTERN = r'[\w][\w.-]{0,127}' VALID_TAG_PATTERN = r'[\w][\w.-]{0,127}'
FULL_TAG_PATTERN = r'^[\w][\w.-]{0,127}$' FULL_TAG_PATTERN = r'^[\w][\w.-]{0,127}$'