Improve the key validation in secret indentifier.

mashhurs · mashhurs · commit 45319e870e3d · 2025-03-18T23:11:34.000-07:00
diff --git a/logstash-core/src/main/java/org/logstash/secret/KeyValidator.java b/logstash-core/src/main/java/org/logstash/secret/KeyValidator.java
@@ -0,0 +1,63 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.logstash.secret;
+
+import com.google.common.annotations.VisibleForTesting;
+import org.apache.logging.log4j.util.Strings;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Objects;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
+import java.util.stream.Collectors;
+
+public class KeyValidator {
+
+    @VisibleForTesting
+    protected static final List<String> RESTRICTED_SYMBOLS = Arrays.asList("?", "..", "/", "\\", "'", "\"", "$", "*", "|", "<", ">", " ");
+    private static final Pattern RESTRICTED_PATTERN = buildPattern();
+
+    private static Pattern buildPattern() {
+        String pattern = RESTRICTED_SYMBOLS.stream()
+                .map(Pattern::quote)
+                .collect(Collectors.joining("|"));
+        return Pattern.compile(pattern);
+    }
+
+    /**
+     * Validates the key against the {@link KeyValidator#RESTRICTED_SYMBOLS} list.
+     * Throws {@link IllegalArgumentException} if the key contains any of them.
+     * @param key A key to be validated
+     * @param keyName A key name mapped to the key
+     */
+    public static void validateKey(final String key, final String keyName) {
+        if (Strings.isBlank(key)) {
+            throw new IllegalArgumentException(String.format("%s may not be null or blank", keyName));
+        }
+
+        Matcher matcher = RESTRICTED_PATTERN.matcher(key);
+        if (matcher.find()) {
+            String foundSymbol = matcher.group();
+            foundSymbol = Objects.equals(foundSymbol, " ") ? "whitespace" : foundSymbol;
+            throw new IllegalArgumentException(String.format("%s can not contain %s", keyName, foundSymbol));
+        }
+    }
+}
diff --git a/logstash-core/src/main/java/org/logstash/secret/SecretIdentifier.java b/logstash-core/src/main/java/org/logstash/secret/SecretIdentifier.java
@@ -60,15 +60,13 @@ public static SecretIdentifier fromExternalForm(String urn) {
     /**
      * Minor validation and downcases the parts
      *
-     * @param part     The part of the URN to validate
+     * @param key      The key, a part of the URN to validate.
      * @param partName The name of the part used for logging.
      * @return The validated and transformed part.
      */
-    private static String validateWithTransform(String part, String partName) {
-        if (part == null || part.isEmpty()) {
-            throw new IllegalArgumentException(String.format("%s may not be null or empty", partName));
-        }
-        return part.toLowerCase(Locale.US);
+    private static String validateWithTransform(String key, String partName) {
+        KeyValidator.validateKey(key, partName);
+        return key.toLowerCase(Locale.US);
     }
 
     @Override
diff --git a/logstash-core/src/test/java/org/logstash/secret/KeyValidatorTest.java b/logstash-core/src/test/java/org/logstash/secret/KeyValidatorTest.java
@@ -0,0 +1,33 @@
+package org.logstash.secret;
+
+import org.junit.Test;
+import java.util.Objects;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertThrows;
+
+public class KeyValidatorTest {
+
+    @Test(expected = Test.None.class) // no exception expected
+    public void testValidKeys() {
+        KeyValidator.validateKey("validKey", "key");
+        KeyValidator.validateKey("test123", "key");
+        KeyValidator.validateKey("under_score", "key");
+        KeyValidator.validateKey("hyphen-key", "key");
+        KeyValidator.validateKey("uri:standard", "key");
+        KeyValidator.validateKey("key-with.extension", "key");
+    }
+
+    @Test
+    public void validateKeyThrowsCorrectMessage() {
+        KeyValidator.RESTRICTED_SYMBOLS.forEach(symbol -> {
+            String key = "random" + symbol + "test";
+            IllegalArgumentException exception = assertThrows(
+                    IllegalArgumentException.class,
+                    () -> KeyValidator.validateKey(key, "key")
+            );
+            final String verifyPart = Objects.equals(" ", symbol) ? "whitespace" : symbol;
+            assertThat(exception.getMessage()).isEqualTo(String.format("key can not contain %s", verifyPart));
+        });
+    }
+}
