Skip to content

Loosen file name validation for kubernetes service bindings #4525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 21, 2025
Merged

Loosen file name validation for kubernetes service bindings #4525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions lib/cloud_controller/diego/service_binding_files_builder.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ def build_service_binding_k8s
@service_bindings.select(&:create_succeeded?).each do |service_binding|
sb_hash = ServiceBindingPresenter.new(service_binding, include_instance: true).to_hash
name = sb_hash[:name]
raise IncompatibleBindings.new("Invalid binding name: '#{name}'. Name must match #{binding_naming_convention.inspect}") unless valid_name?(name)
raise IncompatibleBindings.new("Invalid binding name: '#{name}'. Name must match #{binding_naming_convention.inspect}") unless valid_binding_name?(name)
raise IncompatibleBindings.new("Duplicate binding name: #{name}") if names.add?(name).nil?

# add the credentials first
Expand Down Expand Up @@ -72,13 +72,17 @@ def binding_naming_convention
/^[a-z0-9\-.]{1,253}$/
end

def file_naming_convention
/^[a-z0-9\-._]{1,253}$/
end

# - adds a Diego::Bbs::Models::File object to the service_binding_files hash
# - binding name is used as the directory name, key is used as the file name
# - returns the bytesize of the path and content
# - skips (and returns 0) if the value is nil or an empty array or hash
# - serializes the value to JSON if it is a non-string object
def add_file(service_binding_files, name, key, value)
raise IncompatibleBindings.new("Invalid file name: #{key}") unless valid_name?(key)
raise IncompatibleBindings.new("Invalid file name: #{key}") unless valid_file_name?(key)

path = "#{name}/#{key}"
content = if value.nil?
Expand All @@ -95,10 +99,14 @@ def add_file(service_binding_files, name, key, value)
path.bytesize + content.bytesize
end

def valid_name?(name)
def valid_binding_name?(name)
name.match?(binding_naming_convention)
end

def valid_file_name?(name)
name.match?(file_naming_convention)
end

def transform_vcap_services_attribute(name)
if %w[binding_guid binding_name instance_guid instance_name syslog_drain_url volume_mounts].include?(name)
name.tr('_', '-')
Expand Down
8 changes: 8 additions & 0 deletions spec/unit/lib/cloud_controller/diego/service_binding_files_builder_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,14 @@ module VCAP::CloudController::Diego
expect { service_binding_files }.to raise_error(ServiceBindingFilesBuilder::IncompatibleBindings, 'Invalid file name: ../secret')
end
end

context 'when credential keys contain underscores' do
let(:credentials) { { some_secret: 'hidden' } }

it 'does not return an error' do
expect { service_binding_files }.not_to raise_error
end
end
end
end

Expand Down