fix: enforce S3-compatible bucket naming rules (#18)

Author: damacus

internal/handlers/bucket_name_validation_test.go

@@ -0,0 +1,35 @@
+package handlers
+
+import "testing"
+
+func TestIsValidBucketName(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{name: "valid simple", input: "my-bucket", expected: true},
+		{name: "valid dotted", input: "my.bucket.name", expected: true},
+		{name: "too short", input: "ab", expected: false},
+		{name: "too long", input: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", expected: false},
+		{name: "uppercase", input: "MyBucket", expected: false},
+		{name: "underscore", input: "my_bucket", expected: false},
+		{name: "leading hyphen", input: "-bucket", expected: false},
+		{name: "trailing hyphen", input: "bucket-", expected: false},
+		{name: "leading dot", input: ".bucket", expected: false},
+		{name: "trailing dot", input: "bucket.", expected: false},
+		{name: "consecutive dots", input: "bucket..name", expected: false},
+		{name: "dot hyphen pair", input: "bucket.-name", expected: false},
+		{name: "hyphen dot pair", input: "bucket-.name", expected: false},
+		{name: "ip format", input: "192.168.1.1", expected: false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := isValidBucketName(tt.input)
+			if actual != tt.expected {
+				t.Fatalf("isValidBucketName(%q) = %v, want %v", tt.input, actual, tt.expected)
+			}
+		})
+	}
+}

internal/handlers/buckets_handler.go

@@ -4,8 +4,10 @@ import (
 	"archive/zip"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -26,6 +28,8 @@ type BucketsHandler struct {
 	minioFactory services.MinioClientFactory
 }
 
+var bucketNamePattern = regexp.MustCompile(`^[a-z0-9][a-z0-9.-]*[a-z0-9]$`)
+
 func NewBucketsHandler(minioFactory services.MinioClientFactory) *BucketsHandler {
 	return &BucketsHandler{minioFactory: minioFactory}
 }
@@ -103,9 +107,9 @@ func (h *BucketsHandler) CreateBucket(c echo.Context) error {
 			"Error": "Bucket name is required",
 		})
 	}
-	if len(bucketName) < 3 || len(bucketName) > 63 {
+	if !isValidBucketName(bucketName) {
 		return c.Render(http.StatusBadRequest, "bucket_create_modal", map[string]interface{}{
-			"Error": "Bucket name must be between 3 and 63 characters",
+			"Error": "Invalid bucket name",
 		})
 	}
 
@@ -131,6 +135,22 @@ func (h *BucketsHandler) CreateBucket(c echo.Context) error {
 	return HTMXRedirect(c, "/buckets")
 }
 
+func isValidBucketName(name string) bool {
+	if len(name) < 3 || len(name) > 63 {
+		return false
+	}
+
+	if !bucketNamePattern.MatchString(name) {
+		return false
+	}
+
+	if strings.Contains(name, "..") || strings.Contains(name, ".-") || strings.Contains(name, "-.") {
+		return false
+	}
+
+	return net.ParseIP(name) == nil
+}
+
 // DeleteBucket handles removing a bucket
 func (h *BucketsHandler) DeleteBucket(c echo.Context) error {
 	creds, err := GetCredentials(c)