fix(management): guard against IndexOutOfRangeException for K8SNS/K8SCluster alias parsing

spbsoluble · claude · spbsoluble · commit 0f5a2c743b8c · 2026-03-26T16:50:44.000-07:00
HandleCreateOrUpdate (namespace case) and HandleRemove both accessed splitAlias[^2]
without a bounds check. An alias without the expected '/' delimiter (e.g. a bare
alias like 'testcert') produced a single-element array, causing
'Index was outside the bounds of the array' at runtime.

Added Length guards before all splitAlias[^2]/splitAlias[^1] accesses in both
methods for K8SNS and K8SCluster store types; returns a clear FailJob with an
actionable error message describing the expected alias format.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/kubernetes-orchestrator-extension/Jobs/Management.cs b/kubernetes-orchestrator-extension/Jobs/Management.cs
@@ -548,6 +548,14 @@ private JobResult HandleCreateOrUpdate(string secretType, ManagementJobConfigura
                 jobCertObj.Alias = config.JobCertificate.Alias;
                 // Split alias by / and get second to last element KubeSecretType
                 var splitAlias = jobCertObj.Alias.Split("/");
+                if (splitAlias.Length < 2)
+                {
+                    var invalidAliasErrMsg =
+                        "Invalid alias format for K8SNS store type. Alias pattern: `<secret_type>/<secret_name>` where `secret_type` is one of 'opaque' or 'tls' and `secret_name` is the name of the secret.";
+                    Logger.LogError(invalidAliasErrMsg);
+                    Logger.LogInformation("End MANAGEMENT job " + config.JobId + " " + invalidAliasErrMsg + " Failed!");
+                    return FailJob(invalidAliasErrMsg, config.JobHistoryId);
+                }
                 KubeSecretType = splitAlias[^2];
                 KubeSecretName = splitAlias[^1];
                 Logger.LogDebug("Handling managment add job for K8SNS secret type '" + KubeSecretType + "(" + jobCertObj.Alias + ")'...");
@@ -656,6 +664,12 @@ private JobResult HandleRemove(string secretType, ManagementJobConfiguration con
             var splitAlias = certAlias.Split("/");
             if (Capability.Contains("K8SNS"))
             {
+                if (splitAlias.Length < 2)
+                {
+                    var errMsg = $"Invalid alias format for K8SNS store type. Expected pattern: 'secrets/<tls|opaque>/<secret_name>' but got '{certAlias}'";
+                    Logger.LogError(errMsg);
+                    return FailJob(errMsg, config.JobHistoryId);
+                }
                 // Split alias by / and get second to last element KubeSecretType
                 KubeSecretType = splitAlias[^2];
                 KubeSecretName = splitAlias[^1];
@@ -666,6 +680,12 @@ private JobResult HandleRemove(string secretType, ManagementJobConfiguration con
             }
             else if (Capability.Contains("K8SCluster"))
             {
+                if (splitAlias.Length < 3)
+                {
+                    var errMsg = $"Invalid alias format for K8SCluster store type. Expected pattern: '<namespace>/secrets/<tls|opaque>/<secret_name>' but got '{certAlias}'";
+                    Logger.LogError(errMsg);
+                    return FailJob(errMsg, config.JobHistoryId);
+                }
                 KubeSecretType = splitAlias[^2];
                 KubeSecretName = splitAlias[^1];
                 KubeNamespace = splitAlias[0];
