Properly validate & normalize GitHub environment names. (#17699)

* Properly validate GitHub environment names

* Fix environment normalization to handle whitespace correctly

* Update translations

* Coverage

Author: di

tests/unit/oidc/forms/test_github.py

@@ -17,6 +17,7 @@
 from requests import ConnectionError, HTTPError, Timeout
 from webob.multidict import MultiDict
 
+from warehouse import i18n
 from warehouse.oidc.forms import github
 from warehouse.packaging.interfaces import (
     ProjectNameUnavailableExistingError,
@@ -391,15 +392,56 @@ def test_validate_workflow_filename(self, workflow_filename):
         with pytest.raises(wtforms.validators.ValidationError):
             form.validate_workflow_filename(field)
 
+    @pytest.mark.parametrize(
+        ("environment", "expected"),
+        [
+            ("f" * 256, "Environment name is too long"),
+            (" foo", "Environment name may not start with whitespace"),
+            ("foo ", "Environment name may not end with whitespace"),
+            ("'", "Environment name must not contain non-printable characters"),
+            ('"', "Environment name must not contain non-printable characters"),
+            ("`", "Environment name must not contain non-printable characters"),
+            (",", "Environment name must not contain non-printable characters"),
+            (";", "Environment name must not contain non-printable characters"),
+            ("\\", "Environment name must not contain non-printable characters"),
+            ("\x00", "Environment name must not contain non-printable characters"),
+            ("\x1f", "Environment name must not contain non-printable characters"),
+            ("\x7f", "Environment name must not contain non-printable characters"),
+            ("\t", "Environment name must not contain non-printable characters"),
+            ("\r", "Environment name must not contain non-printable characters"),
+            ("\n", "Environment name must not contain non-printable characters"),
+        ],
+    )
+    def test_validate_environment_raises(self, environment, expected, monkeypatch):
+        request = pretend.stub(
+            localizer=pretend.stub(translate=pretend.call_recorder(lambda ts: ts))
+        )
+        get_current_request = pretend.call_recorder(lambda: request)
+        monkeypatch.setattr(i18n, "get_current_request", get_current_request)
+
+        form = github.GitHubPublisherForm(api_token=pretend.stub())
+        field = pretend.stub(data=environment)
+
+        with pytest.raises(wtforms.validators.ValidationError) as e:
+            form.validate_environment(field)
+
+        assert str(e.value).startswith(expected)
+
+    @pytest.mark.parametrize("environment", ["", None])
+    def test_validate_environment_passes(self, environment):
+        field = pretend.stub(data=environment)
+        form = github.GitHubPublisherForm(api_token=pretend.stub())
+
+        assert form.validate_environment(field) is None
+
     @pytest.mark.parametrize(
         ("data", "expected"),
         [
-            ("wu-tang", "wu-tang"),
-            ("WU-TANG", "wu-tang"),
-            ("", ""),
-            ("  ", ""),
-            ("\t\r\n", ""),
-            (None, ""),
+            ("wu-tang", "wu-tang"),  # Non-alpha characters are preserved
+            ("WU-TANG", "wu-tang"),  # Alpha characters are lowercased
+            ("Foo   Bar", "foo   bar"),  # Whitespace is preserved
+            ("", ""),  # Empty string is empty string
+            (None, ""),  # None and empty string are equivalent
         ],
     )
     def test_normalized_environment(self, data, expected):

warehouse/locale/messages.pot

@@ -739,54 +739,72 @@ msgstr ""
 msgid "ActiveState actor not found"
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:32
+#: warehouse/oidc/forms/github.py:33
 msgid "Specify GitHub repository owner (username or organization)"
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:39
+#: warehouse/oidc/forms/github.py:40
 msgid "Specify repository name"
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:41
+#: warehouse/oidc/forms/github.py:42
 msgid "Invalid repository name"
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:48
+#: warehouse/oidc/forms/github.py:49
 msgid "Specify workflow filename"
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:83
+#: warehouse/oidc/forms/github.py:84
 msgid "Unknown GitHub user or organization."
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:94
+#: warehouse/oidc/forms/github.py:95
 msgid "GitHub has rate-limited this action. Try again in a few minutes."
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:103
+#: warehouse/oidc/forms/github.py:104
 msgid "Unexpected error from GitHub. Try again."
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:111
+#: warehouse/oidc/forms/github.py:112
 msgid "Unexpected connection error from GitHub. Try again in a few minutes."
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:120
+#: warehouse/oidc/forms/github.py:121
 msgid "Unexpected timeout from GitHub. Try again in a few minutes."
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:132
+#: warehouse/oidc/forms/github.py:133
 msgid "Invalid GitHub user or organization name."
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:148
+#: warehouse/oidc/forms/github.py:149
 msgid "Workflow name must end with .yml or .yaml"
 msgstr ""
 
-#: warehouse/oidc/forms/github.py:153
+#: warehouse/oidc/forms/github.py:154
 msgid "Workflow filename must be a filename only, without directories"
 msgstr ""
 
+#: warehouse/oidc/forms/github.py:165
+msgid "Environment name is too long (maximum is 255 characters)"
+msgstr ""
+
+#: warehouse/oidc/forms/github.py:170
+msgid "Environment name may not start with whitespace"
+msgstr ""
+
+#: warehouse/oidc/forms/github.py:175
+msgid "Environment name may not end with whitespace"
+msgstr ""
+
+#: warehouse/oidc/forms/github.py:181
+msgid ""
+"Environment name must not contain non-printable characters or the "
+"characters \"'\", \"\"\", \"`\", \",\", \";\", \"\\\""
+msgstr ""
+
 #: warehouse/oidc/forms/gitlab.py:32
 msgid "Name ends with .git or .atom"
 msgstr ""

warehouse/oidc/forms/github.py

@@ -21,6 +21,7 @@
 
 _VALID_GITHUB_REPO = re.compile(r"^[a-zA-Z0-9-_.]+$")
 _VALID_GITHUB_OWNER = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9-]*$")
+_INVALID_ENVIRONMENT_CHARS = re.compile(r'[\x00-\x1F\x7F\'"`,;\\]', re.UNICODE)
 
 
 class GitHubPublisherBase(wtforms.Form):
@@ -153,16 +154,42 @@ def validate_workflow_filename(self, field):
                 _("Workflow filename must be a filename only, without directories")
             )
 
+    def validate_environment(self, field):
+        environment = field.data
+
+        if not environment:
+            return
+
+        if len(environment) > 255:
+            raise wtforms.validators.ValidationError(
+                _("Environment name is too long (maximum is 255 characters)")
+            )
+
+        if environment.startswith(" "):
+            raise wtforms.validators.ValidationError(
+                _("Environment name may not start with whitespace")
+            )
+
+        if environment.endswith(" "):
+            raise wtforms.validators.ValidationError(
+                _("Environment name may not end with whitespace")
+            )
+
+        if _INVALID_ENVIRONMENT_CHARS.search(environment):
+            raise wtforms.validators.ValidationError(
+                _(
+                    "Environment name must not contain non-printable characters "
+                    'or the characters "\'", """, "`", ",", ";", "\\"'
+                )
+            )
+
     @property
     def normalized_environment(self):
+        # The only normalization is due to case-insensitivity.
+        #
         # NOTE: We explicitly do not compare `self.environment.data` to None,
-        # since it might also be falsey via an empty string (or might be
-        # only whitespace, which we also treat as a None case).
-        return (
-            self.environment.data.lower()
-            if self.environment.data and not self.environment.data.isspace()
-            else ""
-        )
+        # since it might also be falsey via an empty string.
+        return self.environment.data.lower() if self.environment.data else ""
 
 
 class PendingGitHubPublisherForm(GitHubPublisherBase, PendingPublisherMixin):