NO-ISSUE: Add length validation for base64 artifacts

Signed-off-by: Ricardo Noriega <[email protected]>
lkatalin · Jul 3, 2024 · 55381de · 55381de
1 parent cc1e5dd
commit 55381de
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 22 deletions.
diff --git a/api/v1alpha1/validation.go b/api/v1alpha1/validation.go
@@ -6,6 +6,8 @@ import (
  "github.com/flightctl/flightctl/internal/util/validation"
 )
 
+const maxBase64CertificateLength = 20 * 1024 * 1024
+
 type Validator interface {
  Validate() []error
 }
@@ -144,29 +146,27 @@ func validateGitHttpConfig(config *GitHttpConfig) []error {
  var errs []error
  if config != nil {
  if config.CaCrt != nil {
- if !validation.IsBase64(*config.CaCrt) {
- errs = append(errs, fmt.Errorf("httpConfig.caCrt must be a valid base64 encoded string"))
+ err := validation.ValidateBase64Field(*config.CaCrt, "spec.httpConfig.CaCrt", maxBase64CertificateLength)
+ if err != nil {
+ errs = append(errs, fmt.Errorf("spec.httpConfig.caCrt must be a valid base64 encoded string: %v", err))
  }
  }
 
- if config.TlsCrt != nil {
- if !validation.IsBase64(*config.TlsCrt) {
- errs = append(errs, fmt.Errorf("httpConfig.tlsCrt must be a valid base64 encoded string"))
- }
+ if (config.Username != nil && config.Password == nil) || (config.Username == nil && config.Password != nil) {
+ errs = append(errs, fmt.Errorf("both username and password must be provided together"))
  }
-
- if config.TlsKey != nil {
- if !validation.IsBase64(*config.TlsKey) {
- errs = append(errs, fmt.Errorf("httpConfig.tlsKey must be a valid base64 encoded string"))
- }
+ if (config.TlsCrt != nil && config.TlsKey == nil) || (config.TlsCrt == nil && config.TlsKey != nil) {
+ errs = append(errs, fmt.Errorf("both tlsCrt and tlsKey must be provided together"))
  }
 
- if config.Username != nil {
- errs = append(errs, validation.ValidateString(config.Username, "httpConfig.username", 1, 256, nil, "")...)
+ if config.Username != nil && config.Password != nil {
+ errs = append(errs, validation.ValidateString(config.Username, "spec.httpConfig.username", 1, 256, nil, "")...)
+ errs = append(errs, validation.ValidateString(config.Password, "spec.httpConfig.password", 1, 256, nil, "")...)
  }
 
- if config.Password != nil {
- errs = append(errs, validation.ValidateString(config.Password, "httpConfig.password", 1, 256, nil, "")...)
+ if config.TlsCrt != nil && config.TlsKey != nil {
+ errs = append(errs, validation.ValidateBase64Field(*config.TlsCrt, "spec.httpConfig.TlsCrt", maxBase64CertificateLength)...)
+ errs = append(errs, validation.ValidateBase64Field(*config.TlsKey, "spec.httpConfig.TlsKey", maxBase64CertificateLength)...)
  }
  }
  return errs
@@ -175,14 +175,16 @@ func validateGitHttpConfig(config *GitHttpConfig) []error {
 func validateGitSshConfig(config *GitSshConfig) []error {
  var errs []error
  if config != nil {
- if config.PrivateKeyPassphrase != nil {
- errs = append(errs, validation.ValidateString(config.PrivateKeyPassphrase, "sshConfig.privateKeyPassphrase", 1, 256, nil, "")...)
+ // Check if passphrase is specified without private key
+ if config.PrivateKeyPassphrase != nil && config.SshPrivateKey == nil {
+ errs = append(errs, fmt.Errorf("spec.sshConfig.privateKeyPassphrase cannot be specified without sshConfig.sshPrivateKey"))
  }
 
+ if config.PrivateKeyPassphrase != nil {
+ errs = append(errs, validation.ValidateString(config.PrivateKeyPassphrase, "spec.sshConfig.privateKeyPassphrase", 1, 256, nil, "")...)
+ }
  if config.SshPrivateKey != nil {
- if !validation.IsBase64(*config.SshPrivateKey) {
- errs = append(errs, fmt.Errorf("sshConfig.sshPrivateKey must be a valid base64 encoded string"))
- }
+ errs = append(errs, validation.ValidateBase64Field(*config.SshPrivateKey, "spec.sshConfig.SshPrivateKey", maxBase64CertificateLength)...)
  }
  }
 

diff --git a/internal/util/validation/validation.go b/internal/util/validation/validation.go
@@ -71,9 +71,18 @@ func ValidateString(s *string, path string, minLen int, maxLen int, patternRegex
  return asErrors(errs)
 }
 
-func IsBase64(s string) bool {
+func ValidateBase64Field(s string, path string, maxLen int) []error {
+ errs := field.ErrorList{}
+
+ if len(s) > maxLen {
+ errs = append(errs, field.TooLong(fieldPathFor(path), s, maxLen))
+ }
  _, err := base64.StdEncoding.DecodeString(s)
- return err == nil
+ if err != nil {
+ errs = append(errs, field.Invalid(fieldPathFor(path), s, "must be a valid base64 encoded string"))
+ }
+
+ return asErrors(errs)
 }
 
 func fieldPathFor(path string) *field.Path {