f0e44d6810
Fixes #72 ## Why `compilePatterns` silently discards any pattern that fails to compile. A typo in a blocklist entry therefore turns a deny rule into a no-op — a fail-open with security impact. ## Changes - Add `Remote.ValidatePatterns`, which compiles every pattern list (patterns, blocklist, mutable/immutable patterns, ban_tags) and returns an error on the first invalid regex. - Reject invalid patterns with 400 at remote create and update time. - Unit test for valid and invalid patterns. ## Validation - `go test ./pkg/models/` and `make e2e` pass. Reviewed-on: #87 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
20 lines
513 B
Go
20 lines
513 B
Go
package models
|
|
|
|
import "testing"
|
|
|
|
func TestRemote_ValidatePatterns(t *testing.T) {
|
|
valid := &Remote{
|
|
Patterns: []string{`.*\.tar\.gz$`},
|
|
Blocklist: []string{`^secret/`},
|
|
ImmutablePatterns: []string{`\.rpm$`},
|
|
}
|
|
if err := valid.ValidatePatterns(); err != nil {
|
|
t.Fatalf("expected valid patterns, got %v", err)
|
|
}
|
|
|
|
bad := &Remote{Blocklist: []string{`[unterminated`}}
|
|
if err := bad.ValidatePatterns(); err == nil {
|
|
t.Fatal("expected error for invalid blocklist regex, got nil")
|
|
}
|
|
}
|