Skip to content

Commit

Permalink
Add minimal sanitization for applylib
Browse files Browse the repository at this point in the history
  • Loading branch information
justinsb committed Aug 30, 2022
1 parent 1c7ebea commit 3fa4d6f
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions porch/controllers/remoterootsync/pkg/applyset/applyset.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"context"
"encoding/json"
"fmt"
"strings"
"sync"

"k8s.io/apimachinery/pkg/api/meta"
Expand Down Expand Up @@ -202,6 +203,13 @@ func (a *ApplySet) ApplyOnce(ctx context.Context) (*ApplyResults, error) {
continue
}

// Special case: errors are very cryptic with / in the name (we get a 404), and also avoid injection attacks
if strings.Contains(name, "/") {
err := fmt.Errorf("name %q is not valid", name)
results.applyError(gvk, nn, fmt.Errorf("error from apply: %w", err))
continue
}

applied, err := dynamicResource.Patch(ctx, name, types.ApplyPatchType, j, a.patchOptions)
if err != nil {
results.applyError(gvk, nn, fmt.Errorf("error from apply: %w", err))
Expand Down

0 comments on commit 3fa4d6f

Please sign in to comment.