From edafd5108a53e7942e099dae378dd3114223448c Mon Sep 17 00:00:00 2001
From: restitux <restitux@ohea.xyz>
Date: Tue, 14 Feb 2023 20:39:03 -0700
Subject: [PATCH] Add validation to secret names

---
 database/func.go                       | 15 +++++++++++++--
 pipeline_executor/pipeline_executor.go |  2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/database/func.go b/database/func.go
index 9232e1e..c96c5d7 100644
--- a/database/func.go
+++ b/database/func.go
@@ -3,6 +3,7 @@ package database
 import (
 	"context"
 	"fmt"
+	"regexp"
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5"
@@ -445,13 +446,23 @@ WHERE id=$1;`
 }
 
 func (db *Database) CreateSecret(name string, secret string) (Secret, error) {
-	// TODO: we need to validate that we can convert the name to a valid environment variable
+	s := Secret{}
+
+	// validate that the secret is only A-Z or underscores and less than 256 characters
+	if len(name) > 256 {
+		return s, fmt.Errorf("secret name must be 256 characters or less")
+	}
+
+	validName := regexp.MustCompile(`^[A-Z0-9_]+$`)
+	if !validName.MatchString(name) {
+		return s, fmt.Errorf("secren name must be made up of only uppercase letters, numbers, and underscores")
+	}
+
 	query := `
 INSERT INTO secrets (id, name, secret)
 VALUES (uuid_generate_v4(), $1, $2)
 RETURNING id, name, secret;`
 
-	s := Secret{}
 	var idStr string
 	err := db.Conn.QueryRow(context.Background(), query, name, secret).Scan(&idStr, &s.Name, &s.Secret)
 	if err != nil {
diff --git a/pipeline_executor/pipeline_executor.go b/pipeline_executor/pipeline_executor.go
index 272afaf..206d9bf 100644
--- a/pipeline_executor/pipeline_executor.go
+++ b/pipeline_executor/pipeline_executor.go
@@ -172,7 +172,7 @@ func ExecutePipeline(pe PipelineExecution, db database.Database, pipelineConf co
 	}
 
 	for _, secret := range secrets {
-		// TODO: this doesn't validate either of these strings
+		// the env name is validated to be just uppercase letters, numbers, and underscores on ingestion
 		env = append(env, fmt.Sprintf("%v=%v", strings.ToUpper(secret.Name), secret.Secret))
 	}