Improve create volume error messages and path validation

spadgett · spadgett · commit 04c0afdb6093 · 2016-11-23T09:25:11.000-05:00
Correctly validate paths on the client when checking key/path items in a config map or secret volume. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1397788 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1397789
diff --git a/app/scripts/controllers/addConfigVolume.js b/app/scripts/controllers/addConfigVolume.js
@@ -96,7 +96,6 @@ angular.module('openshiftConsole')
         var generateName = $filter('generateName');
 
         var displayError = function(errorMessage, errorDetails) {
-          $scope.disableInputs = true;
           $scope.alerts['attach-persistent-volume-claim'] = {
             type: "error",
             message: errorMessage,
@@ -225,7 +224,11 @@ angular.module('openshiftConsole')
               $window.history.back();
             },
             function(result) {
-              displayError("An error occurred attaching the persistent volume claim to the " + $filter('humanizeKind')($routeParams.kind) + ".", getErrorDetails(result));
+              $scope.disableInputs = false;
+              var humanizeKind = $filter('humanizeKind');
+              var sourceKind = humanizeKind(source.kind);
+              var targetKind = humanizeKind($routeParams.kind);
+              displayError("An error occurred attaching the " + sourceKind + " to the " + targetKind + ".", getErrorDetails(result));
             }
           );
         };
diff --git a/app/views/add-config-volume.html b/app/views/add-config-volume.html
@@ -136,19 +136,34 @@ <h3>Keys and Paths</h3>
                               </div>
                               <div class="form-group col-md-6">
                                 <label ng-attr-for="path-{{$id}}" class="required">Path</label>
+                                <!--
+                                  Regex matches any paths not starting with `/` or containing `..` as path elements.
+                                  Use negative lookaheads to assert that the value does not match those patterns.
+
+                                    (?!(\.\.)?\/)         do not match strings starting with `/`
+                                    (?!\.\.(\/|$))        do not match strings starting with `../` or exactly `..`
+                                    (?!.*\/\.\.(\/|$))    do not match strings containing `/../` or ending in `/..`
+                                -->
                                 <input
                                     ng-attr-id="path-{{$id}}"
                                     class="form-control"
                                     ng-class="{ 'has-error': forms.addConfigVolumeForm['path-' + $id].$invalid && forms.addConfigVolumeForm['path-' + $id].$touched }"
                                     type="text"
                                     name="path-{{$id}}"
                                     ng-model="item.path"
+                                    ng-pattern="/^(?!\/)(?!\.\.(\/|$))(?!.*\/\.\.(\/|$)).*$/"
                                     required
                                     osc-unique="itemPaths"
                                     placeholder="example: config/app.properties"
                                     autocorrect="off"
                                     autocapitalize="off"
                                     spellcheck="false">
+                                <div class="has-error" ng-show="forms.addConfigVolumeForm['path-' + $id].$error.pattern">
+                                  <span class="help-block">
+                                    Path must be a relative path. It cannot start with <code>/</code> or
+                                    contain <code>..</code> path elements.
+                                  </span>
+                                </div>
                                 <div class="has-error" ng-show="forms.addConfigVolumeForm['path-' + $id].$error.oscUnique">
                                   <span class="help-block">
                                     Paths must be unique.
diff --git a/dist/scripts/scripts.js b/dist/scripts/scripts.js
@@ -8239,7 +8239,7 @@ c.attach.items.splice(a, 1), o();
 }, i.get(b.project).then(_.spread(function(e, h) {
 c.project = e;
 var i = a("orderByDisplayName"), k = a("getErrorDetails"), m = a("generateName"), n = function(a, b) {
-c.disableInputs = !0, c.alerts["attach-persistent-volume-claim"] = {
+c.alerts["attach-persistent-volume-claim"] = {
 type:"error",
 message:a,
 details:b
@@ -8308,8 +8308,10 @@ items:r
 }
 i.spec.volumes = i.spec.volumes || [], i.spec.volumes.push(s), c.alerts = {}, c.disableInputs = !0, g.update(l, e.metadata.name, c.targetObject, h).then(function() {
 d.history.back();
-}, function(c) {
-n("An error occurred attaching the persistent volume claim to the " + a("humanizeKind")(b.kind) + ".", k(c));
+}, function(d) {
+c.disableInputs = !1;
+var e = a("humanizeKind"), g = e(f.kind), h = e(b.kind);
+n("An error occurred attaching the " + g + " to the " + h + ".", k(d));
 });
 }
 };
diff --git a/dist/scripts/templates.js b/dist/scripts/templates.js
@@ -1028,7 +1028,13 @@ angular.module('openshiftConsoleTemplates', []).run(['$templateCache', function(
     "</div>\n" +
     "<div class=\"form-group col-md-6\">\n" +
     "<label ng-attr-for=\"path-{{$id}}\" class=\"required\">Path</label>\n" +
-    "<input ng-attr-id=\"path-{{$id}}\" class=\"form-control\" ng-class=\"{ 'has-error': forms.addConfigVolumeForm['path-' + $id].$invalid && forms.addConfigVolumeForm['path-' + $id].$touched }\" type=\"text\" name=\"path-{{$id}}\" ng-model=\"item.path\" required osc-unique=\"itemPaths\" placeholder=\"example: config/app.properties\" autocorrect=\"off\" autocapitalize=\"off\" spellcheck=\"false\">\n" +
+    "\n" +
+    "<input ng-attr-id=\"path-{{$id}}\" class=\"form-control\" ng-class=\"{ 'has-error': forms.addConfigVolumeForm['path-' + $id].$invalid && forms.addConfigVolumeForm['path-' + $id].$touched }\" type=\"text\" name=\"path-{{$id}}\" ng-model=\"item.path\" ng-pattern=\"/^(?!\\/)(?!\\.\\.(\\/|$))(?!.*\\/\\.\\.(\\/|$)).*$/\" required osc-unique=\"itemPaths\" placeholder=\"example: config/app.properties\" autocorrect=\"off\" autocapitalize=\"off\" spellcheck=\"false\">\n" +
+    "<div class=\"has-error\" ng-show=\"forms.addConfigVolumeForm['path-' + $id].$error.pattern\">\n" +
+    "<span class=\"help-block\">\n" +
+    "Path must be a relative path. It cannot start with <code>/</code> or contain <code>..</code> path elements.\n" +
+    "</span>\n" +
+    "</div>\n" +
     "<div class=\"has-error\" ng-show=\"forms.addConfigVolumeForm['path-' + $id].$error.oscUnique\">\n" +
     "<span class=\"help-block\">\n" +
     "Paths must be unique.\n" +
