[TT-16337] prevent use of special characters in policyID - visor comments

NurayAhmadova · NurayAhmadova · commit deee8a5c62b4 · 2026-01-29T13:48:21.000+04:00
diff --git a/gateway/api.go b/gateway/api.go
@@ -77,6 +77,7 @@ const (
 	// KeyListingWorkerCountCap 350 is based on the average of 10000 keys with minor contingency
 	KeyListingWorkerCountCap      = 350
 	KeyListingWorkerEntriesPerKey = 100
+	errMsgInvalidPolicyID         = "Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -, ~"
 )
 
 var (
@@ -1114,7 +1115,7 @@ func (gw *Gateway) handleAddOrUpdatePolicy(polID string, r *http.Request) (inter
 
 	if newPol.ID != "" && !isValidPolicyID(newPol.ID) {
 		log.WithField("id", newPol.ID).Error("Policy ID contains invalid characters")
-		return apiError("Invalid Policy ID in body. Allowed characters: a-z, A-Z, 0-9, ., _, -"), http.StatusBadRequest
+		return apiError(errMsgInvalidPolicyID), http.StatusBadRequest
 	}
 
 	if polID != "" && newPol.ID != polID && r.Method == http.MethodPut {
@@ -1564,7 +1565,7 @@ func (gw *Gateway) polHandler(w http.ResponseWriter, r *http.Request) {
 
 	if polID != "" && !isValidPolicyID(polID) {
 		log.WithField("id", polID).Error("Policy ID contains invalid characters")
-		doJSONWrite(w, http.StatusBadRequest, apiError("Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -"))
+		doJSONWrite(w, http.StatusBadRequest, apiError(errMsgInvalidPolicyID))
 		return
 	}
 
@@ -1603,9 +1604,6 @@ func (gw *Gateway) polHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func isValidPolicyID(id string) bool {
-	if id == "" {
-		return true
-	}
 	return validPolicyIDRegex.MatchString(id)
 }
 
diff --git a/gateway/api_test.go b/gateway/api_test.go
@@ -177,46 +177,44 @@ func TestPolicyAPI(t *testing.T) {
 	t.Run("fails if ID contains invalid characters", func(t *testing.T) {
 		invalidURLID := "invalid@id"
 
-		ts.Run(t, test.TestCase{
+		_, err := ts.Run(t, test.TestCase{
 			Path:      "/tyk/policies/" + invalidURLID,
 			Method:    http.MethodGet,
 			AdminAuth: true,
 			Code:      http.StatusBadRequest,
-			BodyMatch: `Invalid Policy ID`,
+			BodyMatch: "Invalid Policy ID",
 		})
+		assert.NoError(t, err)
 
 		invalidBodyPol := user.Policy{
 			ID:           "invalid/id",
 			Rate:         100,
 			Per:          1,
 			OrgID:        "54de205930c55e15bd000001",
 			AccessRights: make(map[string]user.AccessDefinition),
-			MetaData:     nil,
-			Tags:         nil,
 		}
 
-		ts.Run(t, test.TestCase{
+		_, err = ts.Run(t, test.TestCase{
 			Path:      "/tyk/policies",
 			Method:    http.MethodPost,
 			AdminAuth: true,
 			Data:      serializePolicy(t, invalidBodyPol),
 			Code:      http.StatusBadRequest,
-			BodyMatch: `Invalid Policy ID in body`,
+			BodyMatch: "Invalid Policy ID",
 		})
+		assert.NoError(t, err)
 
 		validID := "valid-id"
-		ts.Gw.policiesMu.Lock()
-		ts.Gw.policiesByID[validID] = invalidBodyPol
-		ts.Gw.policiesMu.Unlock()
 
-		ts.Run(t, test.TestCase{
+		_, err = ts.Run(t, test.TestCase{
 			Path:      "/tyk/policies/" + validID,
 			Method:    http.MethodPut,
 			AdminAuth: true,
-			Data:      serializePolicy(t, invalidBodyPol),
+			Data:      serializePolicy(t, invalidBodyPol), // sending "invalid/id" in body
 			Code:      http.StatusBadRequest,
-			BodyMatch: `Invalid Policy ID in body`,
+			BodyMatch: "Invalid Policy ID",
 		})
+		assert.NoError(t, err)
 	})
 }
 

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ const (`
`77`	`77`	`// KeyListingWorkerCountCap 350 is based on the average of 10000 keys with minor contingency`
`78`	`78`	`KeyListingWorkerCountCap = 350`
`79`	`79`	`KeyListingWorkerEntriesPerKey = 100`
	`80`	`+ errMsgInvalidPolicyID = "Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -, ~"`
`80`	`81`	`)`
`81`	`82`
`82`	`83`	`var (`
`@@ -1114,7 +1115,7 @@ func (gw Gateway) handleAddOrUpdatePolicy(polID string, r http.Request) (inter`
`1114`	`1115`
`1115`	`1116`	`if newPol.ID != "" && !isValidPolicyID(newPol.ID) {`
`1116`	`1117`	`log.WithField("id", newPol.ID).Error("Policy ID contains invalid characters")`
`1117`		`- return apiError("Invalid Policy ID in body. Allowed characters: a-z, A-Z, 0-9, ., _, -"), http.StatusBadRequest`
	`1118`	`+ return apiError(errMsgInvalidPolicyID), http.StatusBadRequest`
`1118`	`1119`	`}`
`1119`	`1120`
`1120`	`1121`	`if polID != "" && newPol.ID != polID && r.Method == http.MethodPut {`
`@@ -1564,7 +1565,7 @@ func (gw Gateway) polHandler(w http.ResponseWriter, r http.Request) {`
`1564`	`1565`
`1565`	`1566`	`if polID != "" && !isValidPolicyID(polID) {`
`1566`	`1567`	`log.WithField("id", polID).Error("Policy ID contains invalid characters")`
`1567`		`- doJSONWrite(w, http.StatusBadRequest, apiError("Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -"))`
	`1568`	`+ doJSONWrite(w, http.StatusBadRequest, apiError(errMsgInvalidPolicyID))`
`1568`	`1569`	`return`
`1569`	`1570`	`}`
`1570`	`1571`
`@@ -1603,9 +1604,6 @@ func (gw Gateway) polHandler(w http.ResponseWriter, r http.Request) {`
`1603`	`1604`	`}`
`1604`	`1605`
`1605`	`1606`	`func isValidPolicyID(id string) bool {`
`1606`		`- if id == "" {`
`1607`		`- return true`
`1608`		`- }`
`1609`	`1607`	`return validPolicyIDRegex.MatchString(id)`
`1610`	`1608`	`}`
`1611`	`1609`